diversity of things that outputs in a massive number of devices. Each device (physical or virtual) connected to the system, should be traceable and the generated information from the device can be retrievable by other users irrespective of their locations [ 17 ]. Nevertheless, it is necessary that only authorized users can be able to enter and make use of the system and its resources. Otherwise, it may face several security concerns such as data modi cation, identity theft and information leakage. Moreover, security and privacy problems remain a demanding challenge in such a massive scale adoption of IoT systems because of the following reasons: (1) Mostly the communications between these IoT devices are wireless which make the system more susceptible to di erent attacks, i.e. message tampering, eavesdropping and denial-of-service attacks like mirai attack [ 2 ] etc. (2) Devices from di erent company-makers have resource constraints limitation such as processing power, battery and memory capacity that do not allow to deploy advanced security solutions.

Numerous solutions concerning security and privacy in IoT have been proposed that provide the mainstream security requirements i.e. Con dentiality, Integrity, Authentication or simply CIA [ 23 ]. However, due to heterogeneous nature and resource-constrained devices, existing solutions cannot ful ll the desired security requirements in the upcoming large-scale IoT system. Even though some security based solutions are e cient and secure but are commonly based on centralized mechanisms. For instance, PKI (Public Key Infrastructure) faces with scalability issues in case of million nodes.

When it comes to decentralization, Block-chain (BC) technology has acquired an enormous attention in regard to tackling security, anonymity, traceability, and centralization. Ethereum [ 33 ] a public blockchain was introduced in 2014 that run smart-contracts for BC users in order to write and execute application code in a distributed way. Basically, Blockchain is a distributed ledger technology where each operation such as create, read, update and delete, is recorded in the form of a transaction. Any unauthorized user accessing data or any operations on the previously processed data can, therefore, be detected. Furthermore, smart contracts are used to apply some access control mechanisms on the stored data. A number of researches have shown the integration of BC technology in di erent IoT use-cases. [ 15,32,10,8,31,19,12,7,14 ].

As from various studies, it has been found that blockchain has become a promising technology to meet future IoT security requirements [ 13 ]. Several Authors [ 16,15,30,18,17 ] put e orts in decentralized security mechanisms for upcoming large-scale IoT systems. But the limitation to all the approaches is that: there is no device-level trust that can prove any particular zone to external entities in case of supposing the communication to occur between di erent IoT networks. The contribution of this paper is as follows: 1. Implement our own custom Behavior Monitor in IoT-Blockchain setup that can store & monitor IoT devices data and classify its behavior (normal or malicious) to prevent attacks. 2. Applying a lter on sensor-level that can stabilize output from single/multiple sensors to avoid faulty or malicious sensors in the network. 3. To implement Trusted Execution Environment (TEE)) on a local blockchain of each IoT-Zone that ensure the integrity and con dentiality of sensitive application code and data. 2 2.1

The Internet of Things is the interconnection of smart-devices, mechanical and digital machines, objects and people that are capable of transferring data over the network without any human intervention. On the broader scale, IoT applications areas are smart-homes, smart-cities, smart-healthcare, etc. The major components [ 6 ] in IoT ecosystem includes: { Smart-devices & Sensors: The rst layer is the device connectivity layer of IoT network, which constitutes di erent sensors like temperature sensor and thermostat, humidity sensor and many more. { Connectivity: Devices in IoT are connected to low power wireless networks like LoRAWAN, ZigBee and Wi etc. { Gateway: It acts as a middle layer between devices and manages the bidirectional transmission between networks and protocol. One of the key functions of a gateway is to translate di erent protocols and make them interoperable. { Cloud: This component integrates billion of sensors, smart-devices gateways, data storage and provides di erent predictive analytics. { Analytics: This is the process of converting the raw data (analog) of billion of devices into useful insights which can be further used for detailed analysis. 2.2

Blockchain technology was initially introduced and brought in 2008 and used by a remarkable known cryptocurrency, Bitcoin [ 26 ]. It is a decentralized ledger technology that builds on a peer-to-peer network. Each node in the BC network holds an updated ledger copy that can hinder from a single point of failure. In the past few years, the blockchain mostly based on cryptocurrencies such as [ 26 ] [ 9 ] in order to avoid the double-spending problem. However, recently numerous application areas have been explored where the blockchain can be set up to create and maintain digital transaction records in a secure and distributed fashion.

The ledger in BC is composed of blocks, and each block contains two parts. The rst part represents the transaction (that need to be stored in a database), which can be of any kind, such as patient record, network tra c log, goods transaction, etc. The second part includes the header information such as hash of a current transaction, hash of previous hash and timestamp. Thus, storage in this way makes a sequenced block of linked chain as shown in Fig. 1. Furthermore,

IoT devices generate a massive volume of data, that must be appropriately stored and analyzed for useful purposes. For each IoT operation (create, update, delete, read), the data can be registered in the form of transactions in the BC-blocks. Device identity information can be registered in a block such as manufacturer information and live status where the device is in use. Smart-contracts are used to enforce access control policies for IoT devices which means that any unauthorized access to a device can be therefore identi ed. There is no need for a central authority for storage, such as cloud, for IoT protection. Blockchain provides data authenticity, data integrity, traceability and prevents from unauthorized access. BC can also enable a secure channel of messaging between IoT devices. Exchange of messages from one device to another device can be handled like nancial transactions ow in crypto-currencies, e.g. Bitcoin [ 26 ]. 2.4

The decentralized and distributed nature of blockchain makes it a promising security solution for IoT use-cases. IoT and blockchain integration enables a higher and sound security level, which otherwise could not be accomplished by any other technology or nearly impossible. Some of recent proposals in regards to IoT security with blockchain are as follows:

In [ 21 ], authors proposed a blockchain-based solution for managing IoT devices and con gurations using Ethereum. A unique key-pair (Public & Private) is assigned to each device in the network. The private key is kept inside the device, while the public key is registered as a transaction in the blockchain. An IoT device can then be reached and access through ethernet by its public key.

Thus, it is concluded that the management and control of IoT devices through blockchain is possible.

A solution proposed in [ 24 ], which make use of blockchain for secure rmware updates in IoT devices where tra c directly to the network server is replaced by local peers of the blockchain nodes. The manufacturer is supposed to store the hashes of updated rmware on the blockchain that can be easily accessible to all the IoT nodes.

IoT devices using in medical and healthcare zone are also subjected to the same security and privacy issues. For medical IoT system, it must be attack resistant and reliable enough. User safety and privacy is very critical and must be protected from any malfunction caused by a security incident or imprecise/faulty device. The risk of device malfunction can overcome in blockchain by immutable ledger technology. Nichol et al. [ 28 ] proposed the feasibility of BC in order to provide reliability in medical IoT devices. Upon a device is manufactured and installed, a hash of UID (unique identi er) along with the other relevant information such as manufacturer information are stored in BC. Later, this data will be updated with doctor-name, patient-history, and hospital information. The doctors and patients can be automatically informed about the device status like battery expiry, patient health irregularities. 2.5

Trusted Execution Environments (TEEs) [ 4,3 ] have been used to enhance security and e ciency in the blockchain protocol. TEEs provide con dentiality and integrity to the sensitive part of application code in a system, until and unless the CPU is not compromised physically by an attacker. TEEs also support remote attestation [ 22 ], that allows remote parties to verify the health of software with genuine TEE.

Intel provided TEEs functionality in Software Guard Extension (SGX) [ 4 ]. SGX is a set of CPU instructions inside Intel's x86 processor design which can allow creating an isolated environment for the execution of selected pieces of code in protected areas called enclaves. These enclaves are designed to run software in a trustworthy environment, even on a system (host) where the operating system and memory are untrusted. There are three main functions of enclaves which are isolation, sealing and attestation. A short description is as follows: { Isolation: Data and code inside the enclave memory are protected and cannot be read or altered by any external process. { Sealing: Data supposed to send to host environment should be encrypted and authenticated with a seal key. { Attestation: Remote parties are allowed to verify an application enclave identity, credentials, and other data. 3

A local private blockchain is deployed on a master node (Raspberry pi-3) of each zone and populated with the hashes of transactions generated from smartdevices. Hyperledger Fabric [ 9 ] a permissioned-BC is implemented as a local BC, we discussed the work ow of fabric with IoT in our previous research [ 8 ]. For prototype implementation, we use the dataset [ 5 ] of IoT tra c that has been collected from various sensor communication. For each communication between nodes or smart-devices, a transaction is created and stored in the local BC. Note that in the majority of the current BC technologies, actual data of IoT devices are not stored in the BC due to overheads (i.e. processing & network).

In each zone, a single device having more computational power than others, acts as a master or main node. Likewise in our model, we use raspberry pi3 which is computationally and energy-e cient act as a master/main node. Once the number of transactions reaches a pre-de ne blocksize, the master node creates a new block and append it to local BC. Afterwards, we realize Intel SGX [ 4 ] as a root-of-trust on top of BC to ensure that the execution of sensitive code and applications are in trusted mode. As shown in Fig. 2, the TEE-enabled application is composed of a trusted and untrusted part. For sensitive operations like encryption and hashing, a trusted-function is called. The function returns, and the data inside the trusted part (enclave) remains in trusted memory and is not accessible to external entities. Moreover, implementing SGX technology on blockchain allows the proposed scheme to: { Protect the applications running on BC and data protection that cannot be accessed by the execution host. { Make sure that the application/data on BC is expected and correct. { Protect end-to-end privacy of application result, which cannot allow others to inspect but the user. { Provide a BC-based validation by verifying the applications inside enclave is neither tampered nor interrupted by any node in BC. { Make sure the application and execution results are valid, and not tampered or fabricated by any malicious node. 4.3

The main goal of this research is to integrate our custom behavior monitor that can classify the behavior of every device and compute a level-of-trust on each zone. As mentioned earlier, all the nodes (followers) in a speci c zone do their operations (read, write) via the master/main node. The scheme in Fig. 4 depicts our proposed approach with all the entities in detail. Data or transactions from nodes is considered as a behavior of that particular node. The master node is a device that centrally processes all the incoming and outgoing transactions to and from a zone.

Whenever a data is received by the master node from the follower node, the master node stores the data in the behavior monitor and appends the corresponding hash to the ledger in blockchain. A sequence-ID (SEQ-ID) is assigned to each transaction while storing in behavior monitor, and a Hash-ID (H-ID) is attached to the corresponding hash in BC, for reference. Finally, a machine learning strategy is used to actively monitor the incoming data and classify them as normal or malicious.

For analysis and detection of behavior, we rely on deep Auto-encoders (AE) [ 20,27 ] for IoT devices, which is trained from statistical correlation features extracted from benign data. The process of behavior detection and monitoring consists of the following stages. (1) Data collection (2) Feature extraction (3) Training model (4) Continuous Behavior Monitoring.

Data Collection At this point, we refer to the dataset [ 5 ] that has been collected from various sensors in the IoT network. In real-time, to ensure that the training data is clean and not malicious, normal tra c from IoT devices are collected immediately after its joining to the IoT network.

Feature Extraction Whenever data from IoT devices arrives, a behavioral snapshot of the protocols and host related to data are stored in our behavior monitor. The snapshot contains di erent parameters, i.e. source IP, destination

IP, MAC-address and port number, etc. We use the same set of features mentioned in the dataset for real-time detection of malicious activities in IoT devices. For example, when a compromised node in a zone spoof an IP, then the features aggregated from the source-IP, destination-IP and MAC-Address will immediately mark as malicious because of unseen activity from the respective spoofs IP.

Training Model As our baseline model for behavior detection, we use deep auto-encoders that can build and maintain a learning model on each zone of IoT use-cases. An auto-encoder is a type of arti cial neural network (ANN), which is trained to re-structure the data after some compression. The compression ensures that the model would be able to learn meaningful concepts and the correlation between di erent sets of features. For training purposes, we use two sets of data which consists of only benign (normal) data. The rst dataset is a training dataset (TDS ) which is used to train the auto-encoder by declaring input parameters such as learning rate (lrn, size of gradient descent step), and epochs (number of iterations through TDS ). The second dataset OptDS (Optimization Dataset) is used to optimize the above hyper-parameters (lrn & epochs) iteratively until the mean square error (M SE) function between the input and output stop decreasing. This stopping prevents over tting in TDS and help out better detection results with future data. Later on, (OptDS ) is used to identify normal and malicious activities and false positive rate (FPR).

After the model training and optimization is completed, the threshold value (thv) is set by which an instance of data is considered malicious. Empirically, it is calculated by the sum of the sample mean along with the standard deviation of M SE on OptDS (see Equation 1).

thv = M SEOptDS + s(M SEOptDS ) (1) AE

IsoForest

SVM

LOF Fig. 5. Detection Accuracy comparison with other Algorithms

0.8 te 0.6 a R y c rau 0.4 c c A 0.2 0

True Postive False Postive ) s d n o c e s ( e m i T n o i t c e t e D 6 4 2 0 SVM LOF IsolationForest AutoEncoder 1.5

2 DeviceID Continuous Behavior Monitoring Finally, the model is applied to continuously observe the data and to label each instance as normal or malicious. Consequently, an alert against abnormal behavior can be issued to indicate the IoT device is malicious. Afterwards, for each IoT zone, the behavior monitor calculates a trust-level measurement and a threshold must be de ned for every use-case. Whenever a user or node from outside needs to accessed data from any speci c zone, our model is capable of disclosing the health of zone before establishing a connection. This way a trusted environment can be built and informed the user about the state of any particular zone before actual communication. 5