=Paper=
{{Paper
|id=Vol-2844/aitcps1
|storemode=property
|title=Security Assessment in IoT Ecosystems
|pdfUrl=https://ceur-ws.org/Vol-2844/aitcps1.pdf
|volume=Vol-2844
|authors=Sotirios Evangelou,Charilaos Akasiadis
|dblpUrl=https://dblp.org/rec/conf/setn/EvangelouA20
}}
==Security Assessment in IoT Ecosystems==
https://ceur-ws.org/Vol-2844/aitcps1.pdf
Security Assessment in IoT Ecosystems
Sotirios Evangelou Charilaos Akasiadis
swtevag@gmail.com cakasiadis@iit.demokritos.gr
Dept. of Electrical and Computer Engineering Institute of Informatics and Telecommunications
University of Thessaly, Greece N.C.S.R. ‘Demokritos’, Greece
ABSTRACT 79.4 ZettaBytes (ZB) [38], and the number of IoT products is also
The Internet of Things (IoT) and "Smart Everything" trend is a re- rising, with publicly known IoT platforms in particular counting to
ality that is becoming part of our daily lives. Consequently, there 620 in 2019 [29]. Such information illustrate the size of the IoT po-
is a gradual increase in the deployment of real world IoT systems tential. Adoption and usage rates are continuously rising and such
that attempt to make use of the various possibilities and benefits solutions are used to reinforce important aspects of the production
the IoT offers. However, the connection of billions of—usually in- processes, including automation, monitoring and data analytics,
herently insecure—devices in a network, paired with the lack of a towards sustainable and cost-effective processes.
clear security framework for the development of IoT systems and Now, as with every disruptive technology, there are some chal-
platforms has widened the attack surface of these systems leading lenges regarding IoT adoption as well. An important issue, that
to them being targeted by malicious actors. In this paper, we ex- mainly comes up due to efforts in reducing investment costs, is
plore the problem and related research, devise an assets taxonomy increased security risks. Throughout the years, multiple vulnera-
and focus on the security requirements for each asset category. bilities and security incidents have affected IoT ecosystems. Thus,
Then, we discuss countermeasures and good practices as well as focus is put into mitigating existing weaknesses and improving
new approaches based on AI that improve security and intrusion the security posture of such products. Research on IoT Cybersecu-
detection capabilities. We also introduce a metric that can be incor- rity covers a wide range of aspects, including the incorporation of
porated by automated security auditing methods. The relevance of security in the SDLC, auditing methodologies, surveys on attacks
this metric is evaluated with respect to correlation across findings and common vulnerabilities, studies on good practices, as well as
from a real-world study. physical, hardware, software, and network security [1, 36].
In this work, we examine past research in the domain of security
KEYWORDS for IoT, and present a high-level taxonomy of the assets that com-
pose a typical IoT ecosystem. Then, we briefly describe methods for
Security, Internet of Things, IoT Ecosystems, Artificial Intelligence,
evaluating the security posture by focusing in each of the identified
Asset Taxonomy
assets, exploring insecure factors to assess desired requirements and
highlight the aspects that could be reinforced. We cover a variety
1 INTRODUCTION
of ecosystem entities, since each of the assets performs differently
The Internet of Things (IoT) is a complex network that interconnects in the ecosystem, and provides diverse security propositions due to
"things", i.e. uniquely identifiable programmable devices with phys- the different nature of the various technology stacks incorporated.
ical sensing and/or actuation capabilities that form cyber-physical We establish a security baseline for each asset and collectively for
systems. Such devices mainly sense data from the physical world the ecosystem itself. Additionally, we devise an index that combines
and take actions, with the possibility to also inter-operate with aggregate real-world vulnerability data and their respective stan-
processing services [15]. The benefits offered are quite a few and dardized scores (CVSS) into a single numerical value. Such an index
they are currently being used in a wide range of use-cases, includ- can be incorporated in automated security assessment processes
ing healthcare [20, 26], fitness [41], manufacturing [57, 58], and to compare security awareness and preparedness capacity of large
agriculture industry [32, 49] among others. Ideas that would be IoT ecosystems. To illustrate applicability and effectiveness, we
previously deemed far-fetched and futuristic, such as self driving perform a correlation analysis with data from a real-world study
cars [17] and smart cities [34], are now realized. providing cybersecurity statistics from many countries.
The statistics related to the IoT are so far remarkable, and more This paper is further structured as follows: In Section 2 we ex-
or less depict the impact they induce in the modern life. According plore the previous related research. Section 3 provides a typical
to IoT Analytics [30], in the end of 2019 the number of active IoT Internet of Things ecosystem asset taxonomy, and highlights the
devices was estimated to be 9.5B, without counting mobile devices, security requirements that need to be put in place, proposing con-
or inactive ones; this number is continuously increasing. During the trols, countermeasures, and best practices that can be applied to
period of 2017-2025 the Compound Annual Growth Rate (CAGR) make each asset more secure. Section 4 presents a metric for cy-
for the IoT connections is estimated to be 17% reaching 25 billion bersecurity awareness comparison between large device groups
in 2025 and a 1.1 Trillion USD global market revenue according based on cumulative vulnerabilities to known attacks as well as
to FICCI/EY [48]. The total data volume by 2025 is projected to be the results from an analysis on real-world data that validates the
metric’s applicability Finally, in Section 5 we conclude and discuss
AIT-CPS2020, September 02–04, 2020, Athens, Greece our future intentions.
Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons
License Attribution 4.0 International (CC BY 4.0).
�2 RELATED WORK map of IoT domains with the vulnerabilities, attacks and security
Given the widespread adoption of IoT in business processes and controls associated with these domains is also given.
the every-day lives of individuals, an IoT product should not be In [16], the Internet of Things security challenges is analysed
deemed ready to enter the market unless it fulfils some baseline and security requirements are presented such as the CIA triad -
security requirements. Here, we provide an overview of related Confidentiality, Integrity, Availability. Then, a decomposition of the
work describing such sets of requirements and recommendations. IoT architecture into three basic domains is performed, the cloud
To begin, ENISA, the European Union Agency for Cybersecurity, domain containing the IoT applications and services, the sensing
offers two significant reports providing baseline recommendations, domain containing the devices and their communication means,
good practices, and guidelines for IoT product development, mainte- and the fog domain including everything that stands between the
nance, and end-of-life management. In both of the reports, a detailed sensing and cloud domains. Authors delve into security vulnera-
asset and threat taxonomy is presented, with a special emphasis in bilities and common attacks regarding these three domains, and
the most critical parts, along with the impact and the stakeholders propose countermeasures for each of the cases explored.
that they affect. The first report [1] also performs a gap analysis, Security is examined in different IoT layers in [51]. They assess
and offers good practices and recommendations. However, the rec- security based on systems software and hardware controls, as well
ommendations mostly focus on non-technical aspects and serve a as anti-tampering physical security techniques. Emphasis is given
development, maintenance, and management strategy purpose. The on the network layer, and in particular on encryption, authenti-
good practices report [2] of 2019 emphasises on the incorporation cation, secure routing, and key management for the encryption
of security in the software development life cycle of IoT products, mechanisms. Denial of service (DoS) and distributed denial of ser-
analysing each cycle phase, and presenting good practices. Three vice (DDoS) techniques are also referenced as a “popular” attack
types are recognized, the "People" which affect all stakeholders and against IoT devices. The application layer security is also examined,
phases, the "Processes" that affect the mechanisms surrounding the and methods for security-by-design and run-time monitoring of
software project’s environment , and “Technologies” that consist the new Internet of Things products are proposed.
of countermeasures and development good practices. Finally, [36], performs an in-depth survey on IoT vulnerability
In another approach, the Infocomm Media Development Author- research. The paper sums up a variety of research focused into the
ity presents an IoT Cybersecurity Guide that offers suggestions attack surface of IoT architectures, and presents a taxonomy of
for the implementation and operational phase of the product and the collected results depending on different aspects—i.e., Layers,
two checklists, a threat modelling checklist and a vendor disclosure Impact, Attacks, etc.—and maps the corresponding research to these
checklist [3]. By using such checklists, potential vendors and devel- classifications. An empirical overview of the vulnerabilities is also
opers can perform a self-assessment on the security posture of a presented, and the survey concludes with a presentation of the
product in development, evaluating if it is secure and market-ready. most important security challenges, paired with possible future
Here, we provide links to a thorough checklist, categorized by the initiatives to fight against each one.
taxonomy of the IoT ecosystem. These threat analyses cover a wide range of the possible threats
These works offer to vendors a defined set of requirements and concerning IoT infrastructures and products. Taking them into con-
guidelines that should be applied to a newly developed IoT prod- sideration, in Section 3 we create a picture of the baseline security
uct, so that it operates securely, adhering to privacy and safety requirements, and consequently the security measures that need to
needs. This paper combines the identification of assets, the security be in place in order to protect IoT deployments from such threats.
requirement assessment, and insecurity exploration, as well as a
proposition of measures to address such insecurities. We approach
2.2 Artificial Intelligence-based Approaches
the IoT ecosystem from a higher-level cyberphysical system’s view-
point and address all the types of co-existing stakeholders, including Artificial Intelligence (AI) and Machine Learning (ML) techniques
developers, system administrators, deployment infrastructure and are employed in a variety of methods for IoT security. Although
end-users. We also focus on AI-related tools and programming manual labour and configuration are not yet fully replaceable in
techniques that can be applied by the responsible teams to improve this domain, there is a number of aspects where AI techniques can
the ‘marginal’ security of each asset. provide great results towards a secure IoT ecosystem. In [5], the use
of artificial neural networks (ANNs) as an intrusion detection sys-
tem to combat DDoS attacks is evaluated. A multilayer perceptron
neural network (MLP) is used to create an anomaly-based intrusion
2.1 The Attack Surface of IoT detection system. Experiments in a custom IoT deployment shows a
An important aspect in the cybersecurity domain, is the “attack great detection rate of 99%, while also providing a low false positive
surface”, i.e. the sum of insecure entry points that a malicious actor rate, which is one of the most significant goals of an intrusion detec-
could utilize in order to enter or attack an IoT system. tion system. Other than neural networks, techniques that perform
In [46], there is a focus on the network aspect of IoT deployments. well into network intrusion detection are 𝑘-NN, Random Forest,
They decompose a network into trust zones, and categorize existing and Support Vector Machines [35, 61].
devices into IoT domains (Finance, Home, Wellness etc.). Then, 14 Local malware scanning is also an aspect where artificial intelli-
common vulnerabilities are mapped to common attacks like Denial gence techniques can be a great supplement to existing signature-
of Service, Ransomware, and SCADA Trojan horses. Finally, security based techniques. While signature-based approaches can protect
controls to mitigate these weak spots are presented, and a detailed against known malware, monitoring behaviour with AI techniques
�can often protect against new or unknown malware. In [56] there is 2.3 Security Evaluation on Existing IoT
a proposition for the use of 𝑘-NN and Random Forest classification Solutions
algorithms on collected traffic data to identify malware with a high
As IoT continuously evolves, it is useful to frequently perform
accuracy on standard datasets. The lack of resources in constrained
security evaluations of widely used IoT platforms, frameworks,
devices is also addressed, where the solution is to collect application
devices, products, and protocols. By reviewing the security controls
traces locally, and appoint the model training and predictions to a
in products that are currently in use or available for sale across the
capable and trusted external server.
world, we can both see the common trends in security and their
In [56], two unique use-cases are also reported, where ML can
impact, as well as highlight the needs for more robust solutions.
play a significant role in IoT devices. The first is for secure IoT
In [9] a survey is presented on the architecture, hardware and
off-loading as a method to combat jamming and Man In The Mid-
software specifications, and security features regarding authen-
dle (MITM) attacks. Using reinforcement learning, and specifically
tication, authorization, and secure communications in multiple
the Q-learning technique, the model takes into consideration the
IoT frameworks developed by popular vendors. These products
task priority, channel bandwidth, gain, and jamming power in or-
are AWS IoT (Amazon), ARMbed (ARM), AzureIoT (Microsoft),
der to decide on off-loading policies according to a Q-value that
Brillo/Weave (Google), Calvin (Ericsson), Homekit (Apple), Kura
indicates the long term reward from choosing this policy. Using
(Eclipse) and Smart Things (Samsung). Considering the conclusions,
this approach, the device can choose optimal offloading channels
authors compare the chosen security controls and discover trends,
and subbands in order to avoid interference and jamming as well
such as the universal use of TLS/SSL and the popularity of AES
as spoofing attacks. Convolutional neural networks can also be
cryptography and X.509 certificates.
used for the same purpose but they require more computational
The security of IoT products created for the Smart Home domain
resources than Q-learning. The second case of [56] regards authen-
is examined in [7], including televisions, bulbs, etc. After decom-
tication using ML methods in order to avoid spoofing attacks. By
posing deployments into 4 parts, namely the device, the mobile
using physical layer indicators, such as the received signal strength
application, the cloud endpoint, and the communications, they pro-
or the channel state information, learning techniques are able to
ceed to explore existing research to identify the attack vectors of
exploit the indicators’ connection to spatial characteristics in order
each part. These are cross-referenced to a wide variety of home IoT
to lure out connections that are initiated from outside a threshold
products. Next, by using the CVSS (Common Vulnerability Scoring
proximity, reducing this way spoofing rates. Other than Q-learning,
System) standard [33] and associating every product with known
both supervised (distributed Frank Wolfe and incremental aggre-
CVEs (Common Vulnerabilities and Exposures) that are publicly
gated gradient) and unsupervised algorithms (Infinite Gaussian
known, they evaluate each product’s security posture.
Mixture Model - IGMM) are used. For more resourceful devices,
Meanwhile, there is research focusing in other domains as well,
deep neural networks can also be applied to further improve the
such as the Healthcare domain, e.g. in [42], where an evaluation
accuracy rates. IGMM is also reported as a useful algorithm for
of medical devices’ resiliency is performed to a plethora of attacks
authentication by fingerprinting [24], where it is used to validate
with an emphasis on the significance of cryptography. In the case of
the credibility of the device by comparing the IGMM result with an
Industrial IoT domain the work of [4] focuses on the security of such
expected value depending on the device’s nature and shape. With
deployments to explore a method of continuous risk assessment.
respect to environmental changes, the model is able to distinguish
a normal from a malicious one. 3 SECURITY AUDITING METHODOLOGY
ML and essentially supervised learning methods usually require
significant volumes of information termed as "Big Data" populating
FOR IOT ECOSYSTEMS
datasets used in security AI [60]. Information, apart from being The Internet of Things is a complex ecosystem that consists of mul-
the input that affects a model’s decision, also plays a significant tiple significant components that one should be aware of. Moreover,
role in training, improving prediction accuracy and validating its as far as cyber-security is concerned, each of these components
efficiency. In order to leverage the advantages AI has to offer, we introduces its own security concerns resulting to a wider attack
need to establish a way to collect, clean, and format corresponding surface. In this section we present a coordinated methodology for
data. An infrastructure for collecting, storing and analysing big decomposing complex Internet of Things ecosystems into simpler
data in IoT systems is presented in [47]. A data collection and categories, and identify essential security controls and practices
actuation layer is introduced, with the collection aspect comprised that should be applied in these components in order to improve the
of system- and application-level probes, a probe registry listing security of the overall ecosystem.
all the used probes, and a data routing middleware to route the
data to the respective recipients. The actuation aspect includes 3.1 Asset taxonomy on a typical IoT Ecosystem
Security Policy Enforcement where the data collected can be used Despite the heterogeneity of IoT ecosystems that are currently
to drive security decisions (e.g. disabling a service or closing a port) deployed in the real-world, there are some components that are
and visualizations where collected data and analyses are being essentially the same in whichever ecosystem one decides to exam-
displayed. The infrastructure also offers management agents and ine, and by identifying these components we can create an image
configuration tools. of a typical IoT ecosystem, and this way generalise on its various
assets and functionality. Figure 1 presents a typical IoT ecosystem
and enumerates its basic assets, providing an asset taxonomy; we
identify nine different basic assets, each with a separate role in the
� Internet of Things services/applications. This asset refers to ap-
plications that perform logical operations on data provided by IoT
devices, or databases and output results that benefit the Users. Most
platforms provide a set of predefined services, and some of them
also allow the creation of custom applications which are usually
executed into virtualized environments.
Back-end Servers. The back-end orchestrates the functionality
of IoT platforms. It handles the interconnection and logical opera-
tion of the different assets, specifically the databases, the message
brokers, the web applications, and other IoT services.
Deployment Infrastructure. This layer constitutes the basis of IoT
platforms, either on edge, or cloud level. It refers to the physical
servers where the platforms run, and the network deployment (
routing, DNS etc.) that allows the communication between users
and devices, with the remote platform services. It also provides
Figure 1: Asset Taxonomy of a typical IoT ecosystem
connectivity capabilities to the platforms as well as bandwidth
management.
ecosystem, associated with different stakeholders, and introducing 3.2 Asset security requirements and
its own security risks. The asset taxonomy approach is definitely
not new [1]. Our taxonomy, however, takes into consideration the
countermeasures
human factor, as well as further decomposes the platform aspect The assets of this taxonomy can be found in the majority of IoT
for more structured assessment of its parts, distinguishing the fol- ecosystems and can be used to decompose a specific ecosystem re-
lowing asset categories: spectively, regardless of the different implementation and technical
specifications. Such an approach makes the security assessment
Users. The entities that constitute the end-users of the ecosys- simpler, as it focuses on the sub-surface that a researcher has to
tem, and who benefit from its use. Users can be individual persons, audit each time. Now, each asset should be assessed sequentially
organizations, companies, or even whole countries. Apart from and the methodology should inform the researcher of requirements
profit makers, this category also includes participants beyond de- that need to be satisfied. Next, recommendations and best practices
velopment or marketing professions. can be provided that will make each individual asset, and collec-
tively the whole ecosystem, more secure. The propositions should
Devices. Smart watches and smart home equipment, sensors,
provide a secure and trusted baseline that the stakeholders of each
surveillance cameras, and generally low-resource internet con-
asset can build upon. Overall, there are some security measures
nected devices, all fall under this asset category. The devices can
and practices that are applicable to almost any asset category, and
have both sensing and actuating capabilities.
for that reason we discuss them first, in order to avoid repetition.
Communication Channels. Communication channels are intan- (1) Keep everything up to date. Commercial systems and
gible entities and present the mechanisms that allow the intercon- programs are constantly updating with new versions and
nection and communication of users and devices to remote storage patches, often addressing one or more CVEs. Thus, it is im-
and computation spaces called the cloud. portant to update the software versions regularly, since an
internet search is enough for a malicious actor to inspect
Message Brokers. The message brokers are entities that reside in and possibly harm a vulnerable system.
the platform part of the ecosystem and are the main entrypoints (2) Backups. Frequent backups is an essential good practice
for data coming from IoT devices. The message brokers typically that needs to be followed. Source code, database informa-
support many application protocols in order to promote interoper- tion, configurations and other data that might be deleted
ability and allow communication with other IoT devices. by mistake or malice should be kept in separate storage
Web Applications. The web applications are the IoT platform’s medium, as backups with controlled access. This allows for
entry points for Users, i.e. typical web interfaces that allow logging quick recovery of production and even identification of a
in and performing the various actions that each platform provides. vulnerability in the event of a security incident.
Examples include adding/removing devices, handling data and in- (3) Monitoring and Logging. Keeping information about change
corporating logic, or exporting respective data from the platform. in states of assets is important. Logging significant events is
useful for debugging, or, in our case, for inspecting security
Database Systems. The database systems are responsible for stor- incidents. Monitoring is similar to logging, nevertheless pre-
ing data. They can be relational or non-relational, depending on the senting results in more intuitive ways (e.g. real-time graphs),
platform, and they are key components for various mechanisms, and raising alerts when behaviour deviates. Often, ML tech-
such as authentication and authorization, data management, and niques build models based on such values to predict and
the provisioning of data to IoT applications. avoid unwanted situations, such as DoS attacks.
�Based on the security control propositions that follow, we have 3.4 Devices
compiled thorough checklists that summarize these measures.1 The Devices asset consists of every IoT device in the ecosystem.
From a security perspective, the aspects of hardware, software
3.3 Users architecture and physical security of the device should be examined.
In the ICT domain, the human factor is widely assumed to be the Physical security is defined by the controls that exist in place to
most weak and exploitable one. The occasions in which the human protect against malicious activities from actors with physical access.
factor becomes the reason for a security breach, mainly fall under There are a lot of techniques that users and device vendors can
three categories: insider threats, careless and unaware personnel apply in order to improve the physical security of their product, e.g.
or users, and lack of business security culture/strategy. make sure that the device is not accessible, or not leave physical
One measure that is applied at scale for this type of asset, is ports exposed. AI biometric access control to the IoT devices is
the signing of NDAs (Non Disclosure Agreements), legal contracts encouraged when combined with rule-based access such as pass-
signed by the employees, that forbid them from disclosing infor- words, as AI substantially improves the accuracy of fingerprint,
mation regarding the company to third parties, protecting this way facial or iris scans [59]. Additionally, tampering prevention mecha-
the intellectual property of the organization. Another measure is nisms [19] should be considered, that make it difficult for someone
the strict access control over the company’s assets; this can be to physically tamper the device, e.g. boards encapsulated, or coated
achieved by monitoring access, logging, and analysis. Company- with specific materials such as epoxy or silicone. Security fuses
wide policies for least privilege and segregation of duties can also are also widely used, and they are mechanisms of access control to
be applied, so that access is given to only the assets that are abso- the on-chip memory. These mechanisms are usually built in a way
lutely necessary for the completion of each employee’s function. that they destroy stored data in the case that someone attempts
In this regard, AI technology can also contribute through User and to erase or reprogram them, as can happen for example with UV
Entity Behavioral Analytics (UEBA), that monitor user behaviour lights in semi-invasive attacks. In many cases, tampering detectors
to identify anomalies and potentially prevent malicious actions. are also installed into the device. This way many types of physical
Tools like IBM QRadar UBA are able to monitor human factor be- attacks can be detected and be handled accordingly. Side channel
haviour, assign roles and identify role behaviour deviations to alert attacks [8] are also a major threat for embedded devices. Passive
on occasions like tool misconfigurations, sharing of credentials, or Side channel attacks resort to analysing times, power consumption
admins changing user attributes [39]. and temperature during cryptographic operations in order to iden-
Security awareness training is used to cultivate the personnel’s tify properties, algorithms used or even keys. Countermeasures
security culture, awareness of good practices and sense of respon- insert randomness in order to render the analysis useless, by time
sibility. Occasional briefing on security and simulation of attacks skewing, random heating, cache flushing, disabling or bypassing
such as phishing from the security teams of companies to the rest and many more methods.
of the teams, can help create good practice habits on the employees Internet of Things devices can also be severely susceptible to
that can collectively improve the security posture of the company. Denial of Service attacks. Vampire attacks [55] attempt to drain the
The power of machine learning can also be leveraged here, as algo- battery of ad-hoc wireless devices to induce DoS, where the nodes
rithms such as kNN, SVM, Random Forest, Neural Networks as well shut down and do not communicate with the rest of the deployment.
as unsupervised and similarity learning techniques perform well Mitigation controls include the ability to reroute at each node if a
into detecting social engineering attacks such as phishing [6, 43] shorter route is known or introducing a no-backtracking metric that
and malicious URL links [50, 52]. ensures the gradual progress network packets and avoids loops. DoS
Regarding management strategies, which are not purely tech- can also be avoided through frequency hopping, using directional
nical but could improve the security of the company significantly, antennas, or by spectrum spreading [16].
responsible vulnerability disclosure programs can be incorporated. Trusted computing [54] is another aspect of the embedded IoT
Here, external researchers or regular users that manage to find a devices’ security. Trusted Execution Environments (TEEs) are pro-
bug in a product can disclose it to the engineering teams of the cessing units that ensure the protection of included code and data.
product so that it is quickly patched before it is exploited. In such Usually this is achieved by dedicated co-processors where security
cases, the individual can be rewarded financially, or in another way, tasks are being offloaded from the main processor, and secure mem-
depending on the severity of the found bug. This gives an incentive ory (dedicated on-chip RAM). Also, since outside the TEE data are
for researchers to disclose the bugs responsibly and not person- not secure, there should be integrity checks for detecting modifica-
ally profit from them with malicious activities. Another significant tions while outside. Secure booting is a significant feature of a TEE,
measure is periodic company-wide risk and threat assessment, by as it verifies an image before it is executed, and in order to be suc-
either the company’s internal security team or employment of ex- cessful secure storage of signatures and secure code for verification
ternal “red” teams and penetration testers. Finally, security incident must be ensured. Therefore, the keys and signatures are written
scenario strategies should be in place in order to define the actions into protected read-only memory called hardware root of trust, that
that will take place in the worst case of a security breach so that usually is on-SoC (System on chip) OTP (one-time-programmable)
the company can identify a potential security hole, patch it and hardware that acts as anchor for the chain of trust.
recover from the breach as soon as possible. Firmware updates is another issue that should be addressed.
It is suggested that firmware updates should be encrypted and
1 https://github.com/EvangelouSotiris/Security-Assessment-in-IoT- authenticated as well as be installed over the air (OTA) via secure
Ecosystems_Summary-tables/raw/master/Summary_tables.pdf
�protocol channels. Finally, application whitelisting is a popular So far, we have assumed that the devices have the capabilities of
method for avoiding malware installed inside the device. In [21], a establishing a TLS connection with a remote server. In some low-
store of binary checksums collected at a clean device state is used resourced devices though this is not the case, and the minimum
to block untrusted software execution and prevent its spreading. threshold for TLS-based solutions is 10KBs of RAM and 100KBs of
Malware detection in IoT devices can also be performed by static ROM. In these situations a middleware is needed to provide the
analysis of high level features using multiple classifiers like RIPPER, TLS-based communication for the constrained IoT devices [27].
SVM, neural networks and more [37].
3.6 Message Brokers
3.5 Communication Channels Message brokers are the entry points of IoT device data to the IoT
Inside an IoT ecosystem, devices need to communicate. The data platform, and they usually work with multiple application layer
exchanged within the communication channels can be sensitive protocols such as HTTP (REST), MQTT and CoAP. TLS and X.509
and private, thus eavesdropping and tampering must be avoided. certificates are the way to secure communication between devices
Cryptography is the method that is widely used in order to avoid and message brokers, as already discussed. If mutual authentication
typical MITM attacks, and Transport Layer Security (TLS) is the is configured, this is the asset to perform device authentication and
standardized solution for secure encrypted communication. Specifi- determine access rights. Otherwise, authentication with passwords
cally, TLSv1.2 and TLSv1.3 are the standardized (defined in RFC5246 or tokens can also be implemented, where the broker can rely on
[44] and RFC8446 [45] respectively) non-deprecated protocol ver- the back-end for authentication purposes.
sions used at the moment. The use of TLS assures confidentiality, Another security measure that can be typically implemented
authentication, and integrity. TLSv1.3 provides faster and more se- here, is authorization and access control, so that IoT devices can
cure communication than 1.2, with more features such as Forward publish to a particular topic, with their data are used by the intended
Secrecy. Lastly, TLS provides the capability for two-way authenti- subscribers alone, and vice versa so that subscribers ensure that
cation. Servers carry X.509 certificates to be trustworthy but clients the data originate from specific trusted publishers. Each Message
can also carry certificates signed by a trusted CA. This can be useful Queue/Broker server usually provides a certain way of defining
in the ecosystem of IoT in order to authenticate devices that send access control and authorization policies, but the two most common
data to the cloud applications. When TLS client certificates are not approaches are Access Control Lists (ACL) which are lists that
preferred, the devices can be authenticated through the use of AI associate users with permissions and Role-Based Access Control
algorithms for proximity-based or fingerprint-based authentication, (RBAC) where roles are associated with permissions and users can
where IGMM, Q-learning and neural networks are found to produce have one or multiple roles, inheriting their permissions. Genetic
highly accurate results [24, 56]. Algorithms can be used for role-mining in order to automatically
The use of cryptography, however, presents the engineers with a create roles and define RBAC policies [18]. [28] also presents some
significant tradeoff in the case of Internet of Things devices. Over- other authorization trends such as UCON (Usage control) which
heads in time and processing power happen during the calculations is used for continuously mutating authorization factors such as
for encrypting, decrypting and key generating and exchanging. pay-per-view or metered payment situations and CapBAC which
Consequently, there is a need to use lightweight algorithms for uses tokens to associate users with specific capabilities.
these security tasks that will not compromise the security posture
of a potential IoT device, neither will it compromise the device’s
performance and latency in performing its functionalities. 3.7 Web Application Interfaces
Starting off with assymetric cryptography, between the two op- Web applications usually are the asset that offer the largest attack
tions in Diffie-Hellman (DH) and RSA, the first is preferred, and surface since they provide a wide range of functionalities triggered
mostly its version leveraging elliptic curves (ECC) and featuring for- by user actions, and they are fully visible to the public. There are
ward secrecy - Elliptic Curves Diffie Hellman Ephemeral (ECDHE). numerous ways to “harm” a web application, and there are also
On symmetric cryptography, AEAD algorithms that encrypt and various tools available to help to this end. Here as well, encryption
authenticate in one pass are gaining popularity, with AES-GCM and between users and the front-end is essential.
the ChaCha20-Poly1305 combination being the most secure, fast A well known category is the injection attacks. This refers to com-
and least resource intensive options. ChaCha20-Poly1305 is pro- mands being passed to an interpreter or another program, where
posed in [10] as the favorable option for smart devices in TLSv1.3, part of the commands is derived from user input. SQL, NoSQL,
but in TLSv1.2 AES-GCM is proposed, especially with the perfor- LDAP, and OS injections belong to this category. User input valida-
mance spike in devices with specific instructions for hardware tion and sanitation is needed to constrain the choices the user has in
acceleration in specific cryptographic steps. the data entered. Moreover, access control should be implemented
Regarding hashing algorithms, the performance evaluation gen- correctly and carefully so that users only have access to authorized
erally seems to have minimal significance compared to e.g. the content. The authorization is mostly implemented with middleware
latency and energy consumption of asymmetric algorithms. Nev- software between function calls that acknowledges whether the
ertheless, in [40] there is a study on hashing algorithms in IoT user is authorised to access the functionality after the middleware.
platforms and embedded devices, where Blake2 [12] is found to General web application attacks are also relevant here, such as cross-
be more lightweight, energy efficient and fast. Other lightweight site scripting, external XML entities (XXEs), information-exposing
hashing families of algorithms are Photon [23] and Quark [11]. error reporting, unprotected assets and more.
� The identification of such vulnerabilities is based into detecting Whenever the execution of a process needs to be controlled,
the entrypoints of user input and applying validation and escaping there is a need for isolated environments, and the solution is usu-
when this input is going to be used into HTML, CSS, Javascript ally through virtualization. These types of environments are capable
and generally any interpretable content, or using modern frontend of running non-trusted programs or opening non-trusted files that
frameworks that tend to provide automatic sanitization e.g. Angular. could potentially be malicious inside a controlled environment with-
The use of security tools for web applications testing is applicable out directly affecting the server in which they reside. Containers
here as well, such as Arachni, OWASP ZAP, W3af and Wfuzz. Fi- are heavily preferred for application deployment as they are fast
nally, web application firewalls can help mitigate lots of attacks to deploy and kill, and easier to control. Containers have some
through a mixture of the traditional signature-based approach and inherent security characteristics but there is a number of measures
supervised or unsupervised Machine Learning techniques to handle that can be taken to protect the system whenever containers run
unknown injection attacks [22, 31]. non-trusted user code. [53] propose to run containers inside a VM
in order to add the virtual kernel layer of security in the case of a
3.8 Database Systems container escape. Other measures to increase security are running
the programs created by the user as non-root and with least privi-
Databases are the assets that hold the majority of the data of the IoT
leges, and in secure minimal container images containing just the
ecosystem, as well as the functionality to access it. The information
necessary binaries that each program functionality requires. Also,
stored should be protected in terms of confidentiality and integrity.
restricted versions of programming languages are usually employed,
Starting with the SQL injection vulnerability mentioned previously,
in order to avoid language-specific capabilities such as execution of
stored procedures was proposed as a way to limit outer effect to
shell commands. Lastly, in some cases the spawned services might
internal queries. Access control in query capabilities is also essential.
attempt to starve the host of resources for prolonged timeframes.
The user that makes the queries should not be ‘root’, but should only
Thus, there should be a time and resource (CPU, Memory, Storage)
have restricted authorization. Furthermore, the databases should
quota on the spawned containers in order to avoid this kind of DoS
not be directly exposed to the internet where remote malicious
incidents. Also, the network accessibility of the containers should
actors could potentially gather information, as well as send payloads
be controlled and constrained to the extent possible.
for penetration testing.
Data, and essentially sensitive data should be protected, e.g. in
the incident of an information leakage; credential information such
as passwords should be hashed, and the authentication should be
performed by comparing the hash of the password given by the
login form with the password hash located in the database, so that 3.10 Backend Servers
even if the case that this hash is leaked, the malicious actor cannot
Backend is the asset where the functionality of the different parts of
discover the original password without bruteforcing. Additionally,
the IoT platform is orchestrated. Data is received there and stored
the whole database could be encrypted though that does come with
into databases, or sent to processing services. Also, communications
a trade-off in the latency (and potential insecurity) that the middle-
with the Frontend Web Applications are facilitated to address user
ware application that encrypts and decrypts the data introduces.
requests. The backend also provides functionality over the Internet,
Cryptographic key management is also an issue that should be
mostly through Application Programming Interfaces (APIs). Web
tackled in the database asset level. Private, Symmetric and Hash
application and Database Security have already been discussed in
keys that are used to encrypt, decrypt or digitally sign data need
their respective sub chapters, so here the focus is to the APIs used
to be kept on a secure storage where they are accessed only by
either by other assets or external users.
authenticated users, mostly developers. First and foremost, these
First, the publicly exposed APIs should be protected with encryp-
keys should not be kept in the database with the data they protect,
tion in order to avoid eavesdropping. Also, authentication should
and if possible not even in the same server. In the case they are
be enforced in order to use the API, usually through API tokens.
placed in the same server, they should be given appropriate read-
Authorization should also be kept in mind since, the APIs must
write-execute permissions. A solution heavily proposed, although
ensure that the user only accesses and uses the content he is au-
expensive, are Hardware Security Modules (HSMs) which are hard-
thorized for. The rate of the requests is another factor that needs
ware solutions for keeping keys and performing cryptographic
to be accounted for in order to avoid DoS situations and make
tasks for the server.
the API scalable. Rate limiting can be implemented in many ways,
with the most popular being putting the request in message queues
3.9 Processing Services and process each one in a specific rate, or throttling of the user’s
The driving force of IoT are applications and services that process connection (bandwidth limiting) upon detection of surpassing the
incoming data from the devices and forward results to users, or request rate. Input parameter validation should be made in the API
other devices and applications. A range of preset applications is requests as with any entry point, using rules to enforce consistency
usually provided by the platform to the users, but most of the com- with the API’s expectations. The validation could be implemented
mercial platforms also allow users to create their own applications, as a middleware receiving the requests at an API gateway which
deploy, and share them with the community. As with any user input could be used for other reasons as well, such as monitoring API
and especially executable content in this case, several security risks traffic and applying machine learning and AI to find deviations
are posed for the platform and should be carefully handled. from normal behaviour and flag possible attack attempts.
�3.11 Deployment Infrastructure that can indicate how updated and secure against harmful remote
A substantial part of the IoT ecosystem is hosted on cloud or edge cyberattacks a country’s systems are, and, consequently, assess each
infrastructure. Starting from physical security, the infrastructure is country’s security awareness. This measure is termed as LSAR, for
expected to have strict access control with multi-factor authenti- Lack of Security Awareness Ratio. In theory, high values of LSAR
cation to the machines and other assets, camera surveillance and indicate greater density of vulnerable and exploitable devices in a
a great resiliency to physical disasters. Device and network mon- group of devices, deeming that group as a more possible target of
itoring is also imperative, with alerts triggered in case of strange malicious actors than one with a smaller LSAR.
Í
behaviour. Strict control should also exist in the application level, (#𝑂𝑐𝑐𝑢𝑟𝑒𝑛𝑐𝑒𝑠𝑖 × 𝐶𝑉 𝑆𝑆𝑠𝑐𝑜𝑟𝑒𝑖 × 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦𝑠𝑐𝑜𝑟𝑒𝑖 )
𝐿𝑆𝐴𝑅 = 𝑖
with secure, authenticated, and authorised management software #𝐷𝑒𝑣𝑖𝑐𝑒𝑠
on the provider’s side. On deployment, CSPs should ensure VM where
quotas are met, and VMs are isolated when the deployment is not
𝑖 ∈ {CVE-X|𝐶𝑉 𝑆𝑆𝑠𝑐𝑜𝑟𝑒𝑖 > 6.0 ∩ 𝑉 𝑒𝑐𝑡𝑜𝑟𝑖 ∉ 𝐿𝑜𝑐𝑎𝑙, 𝑃ℎ𝑦𝑠𝑖𝑐𝑎𝑙 }
on a dedicated machine.
Cyberthreat detection is also required in order to provide ap-
propriate protection. Multi-technology systems are deployed in The resulting LSAR values are shown in Table 1:
strategic network locations for this purpose, such as Network Intru-
sion Detection systems (NIDS) and Network Intrusion Prevention Table 1: Top 20 countries by LSAR
Systems (NIPS) that essentially combine the NIDS real-time threat
detection with linkage to firewall rules in order to block those 0 HTI 1.422832 10 MYS 0.404316
threats. These systems are based on anomaly detection techniques 1 UZB 1.164537 11 TWN 0.398422
to detect deviations from normal behaviour and block untrusted 2 ZWE 0.782047 12 PER 0.397818
data packets before they reach the hosts. This approach allows not 3 HKG 0.721822 13 TJK 0.392794
only protection against known attacks, which could very well be 4 ETH 0.636363 14 ZAF 0.379868
avoided by the firewall rules, but also against unknown attacks 5 JOR 0.522041 15 SEN 0.372707
in some cases. Many machine learning techniques perform well 6 PNG 0.455162 16 GTM 0.348438
in intrusion detection including Neural Networks (CNNs, MLPs), 7 LBN 0.451086 17 CHN 0.331362
SVMs, Naive Bayes, Decision Trees and Logistic Regression [14]. 8 MRT 0.441238 18 SLE 0.323695
Having defined the security controls for each asset in the taxon- 9 KGZ 0.405626 19 BTN 0.321850
omy, in what follows, we present a metric that can be used to col-
lectively assess the security awareness in large pools of IoT-enabled Results include the countries with the biggest LSAR metrics,
devices, in order to highlight the vulnerabilities to be addressed. meaning the countries with the least security preparedness against
known exploits and remote cyberattacks, hence least security aware-
ness. To validate LSAR, we compare it with results from a sur-
4 LACK OF SECURITY AWARENESS RATIO vey [13] for the best and worst security in countries. The survey
We hereby define a metric that can be incorporated to show how includes data up to March 2020, which is adequately close to data
well protected an IoT ecosystem is, by examining a number of collection from Shodan for the LSAR computation (late April, 2020).
indicators that can be retrieved without authorized access to assets. In this survey, countries are ranked for the percentage of mobile de-
The data used to compute our metric are collected using Shodan, vices and computers infected with malware, the number of financial
a global crawler for Internet-connected devices. It scans global IPs, malware attacks, the percentage of all telnet attacks by originating
collects information such as the organization name, location, do- country, of users attacked by cryptominers, and the best-prepared
main name, open ports, services, and attempts to grab the banner of countries for cyber attacks.
the audited services to learn more specific information, e.g. version, Combining this survey’s results with LSAR, 65 countries belong
and then map it with specific CVE vulnerabilities. Using Shodan in both of the datasets and thus can be compared. We explore the
API, we initially collect information about the number of internet correlation between the LSAR feature and the features introduced
connected devices globally categorised by country, for the top 200 by the Comparitech survey. Results are shown in Fig. 2 and Fig. 3,
results, excluding those with population of less than 300,000. for the Pearson and Spearman correlation coefficients, respectively.
First, we determine the number of devices found vulnerable with LSAR has a moderate uphill relationship with cryptomining
specific vulnerabilities with CVE identification numbers. Next, the attacks (+0.52,+0.54 correlation coefficients). This means that a high
weighted sum of them was computed for each country using as LSAR is correlated with a high percentage of cryptomining attacks.
weights their CVSS score, and their exploitability score. From the These, being one of the most popular uses of botnets, tend to target
calculated vulnerabilities with less than 6.0 CVSS score or Local/- remotely exploitable devices, in order to amass computing power
Physical attack vector were excluded in order to keep only severe for mining operations in blockchain cryptocurrencies.
and relatively easily remotely exploitable vulnerabilities. In that LSAR has a moderate uphill relationship with financial malware
regard, it was assumed that devices with vulnerabilities in that attacks, malware targeting bank accounts to steal money from
category would most likely become a cyber-attack target because victims (+0.58,+0.46 correlation coefficients). While this correlation
of the ease of exploit and impact that a malicious actor can deliver. validates the relationship of high LSAR with high percentage of
Dividing the weighted sum of vulnerabilities per country with malware targeting the victim, we require additional data which are
the number of internet connected devices in each, results to a metric hard to acquire to explore whether this assumption is valid.
� fact that most of it deviates from attacks like phishing, downloaded
malware disguised as a useful program or infected drives. The case
of the Shodan findings is the vulnerability to external cyberattacks
so a huge proportion of the variability that could be explained is
missed, thus the insignificant correlation with mobile and computer
malware. Telnet attacks and LSAR also have insignificant correla-
tion which is explained from the fact that they are bruteforcing
attacks, not CVE-specific exploits.
Summarizing, we can see that even the omission of a simple
activity such as consistent updating of software to secure versions
can compromise the security of a device, and collectively widen the
attack surface of the device’s environment. The LSAR is a metric
that can be used to assess the security posture of a large group
of internet connected devices, owned and handled by different
individuals or organizations by checking the exposure to potential
common vulnerabilities (CVEs). Apart from countries, large groups
of machines/devices could also be considered to be Wide Area
Networks (WAN), geographical regions such as cities, or even large
Figure 2: Pearson correlation coefficient data centers were the VM could take the place of devices, and in
those cases LSAR can provide a general view of the awareness of
security as well as the density of vulnerable points inside the group.
5 CONCLUSIONS
In this paper, we established a structured methodology towards
assessing the security posture of an Internet of Things ecosystem
and reinforcing it. This is achieved through a divide and conquer
approach where we decompose the ecosystem into the assets that
compile it, inspecting each asset’s attack surface, defining security
requirements, and proposing mitigations or good practices. This
work aspires to become a handy guide for developers, researchers,
engineers or managers working on the IoT domain, and contribute
to the vast research towards secure IoT deployments and products.
Potential future work includes a practical application of the defined
methodology into a real IoT ecosystem focused on a specific use-
case, such as a power-grid or a vehicular Ad-hoc network. Such
an approach could validate the methodology’s applicability and
usability as well as yield potential insecure factors that this work
has not yet taken consideration of.
Figure 3: Spearman correlation coefficient
ACKNOWLEDGMENTS
Charilaos Akasiadis acknowledges partial support of this work by
LSAR and the best-prepared metric of the Comparitech survey the project SYNTELESIS “Innovative Technologies and Applications
have a moderate downhill relationship (-0.28,-0.30 correlation co- based on the Internet of Things (IoT) and the Cloud Computing”
efficients), which is expected. This further validates our findings (MIS 5002521), which is implemented under the “Action for the
rendering LSAR as a metric to check the security posture of a sum Strategic Development on the Research and Technological Sec-
of devices, in this case a country. The coefficients are not very tor”, funded by the Operational Programme “Competitiveness, En-
high, which could be explained from the specificity of the use case trepreneurship and Innovation” (NSRF 2014-2020), and co-financed
of the Shodan findings (external attacks) compared to the best- by Greece and the European Union (European Regional Develop-
prepared feature which is derived from the Global Cybersecurity ment Fund).
Index scores [25]. The GCI score performs a general security evalu-
ation on a country’s cybersecurity including factors such as cyber REFERENCES
crime legislations and information extracted from questionnaires, [1] 2017. Baseline Security Recommendations for IoT: in the context of critical infras-
hence the index is not fully consistent with our case. tructures. Technical Report. ENISA: European Union Agency for Cybersecurity.
LSAR has a weak uphill relationship with mobiles infected with [2] 2019. Good Practices for Security of IoT: Secure Software Development Lifecycle.
Technical Report. ENISA: European Union Agency for Cybersecurity.
malware. Additionally, there is a non-significant relationship of [3] 2019. Guidelines: Internet of Things (IoT) Cybersecurity Guide. Technical Report.
LSAR with computer malware which could be explained from the Infocomm Media Development Authority.
� [4] C. Adaros Boye, P. Kearney, and M. Josephs. 2018. Cyber-Risks in the Industrial [34] S. Mohanty. 2016. Everything You Wanted to Know About Smart Cities. IEEE
Internet of Things (IIoT): Towards a Method for Continuous Assessment. In Cons. Electronics Mag. 5 (2016), 60–70. https://doi.org/10.1109/MCE.2016.2556879
Information Security. Springer Int. Publishing, 502–519. [35] S. Mukkamala, G. Janoski, and A. Sung. 2002. Intrusion detection using neural
[5] T. Ahanger. 2018. Defense Scheme to Protect IoT from Cyber Attacks using AI networks and support vector machines. Proc. of the Int. Joint Conf. on Neural
Principles. Int. Journal of Computers Communications & Control 13 (11 2018), Networks 2, 1702 – 1707. https://doi.org/10.1109/IJCNN.2002.1007774
915–926. https://doi.org/10.15837/ijccc.2018.6.3356 [36] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani. 2019. De-
[6] A. A. Akinyelu and A. O. Adewumi. 2014. Classification of Phishing Email Using mystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a
Random Forest Machine Learning Technique. Journal of Applied Mathematics First Empirical Look on Internet-Scale IoT Exploitations. IEEE Communications
2014 (03 Apr 2014), 425731. https://doi.org/10.1155/2014/425731 Surveys Tutorials 21, 3 (2019), 2702–2733.
[7] O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose. 2019. SoK: Security [37] Q.-D. Ngo, H.-T. Nguyen, V.-H. Le, and D.-H. Nguyen. 2020. A survey of IoT
Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Secu- malware and detection methods based on static features. ICT Express (2020).
rity and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA. https: https://doi.org/10.1016/j.icte.2020.04.005
//doi.org/10.1109/SP.2019.00013 [38] S. O’Dea. 2020. Data volume of IoT connected devices worldwide 2018 and
[8] J. Ambrose, R. Ragel, D. Jayasinghe, T. Li, and S. Parameswaran. 2015. Side 2025. https://www.statista.com/statistics/1017863/worldwide-iot-connected-
channel attacks in embedded systems: A tale of hostilities and deterrence. 2015 devices-data-size/.
(04 2015), 452–459. https://doi.org/10.1109/ISQED.2015.7085468 [39] M. Patel. 2017. QRadar UBA App Adds Machine Learning and Peer Group Anal-
[9] M. Ammar, G. Russello, and B. Crispo. 2018. Internet of Things: A survey on the yses to Detect Anomalies in Users’ Activities. Technical Report. SecurityIntelli-
security of IoT frameworks. Journal of Information Security and Applications 38 gence.com.
(2018), 8–27. https://doi.org/10.1016/j.jisa.2017.11.002 cited By 144. [40] G. C. C. F. Pereira, R. C. A. Alves, F. L. da Silva, R. M. Azevedo, B. C. Albertini, and
[10] B. Arunkumar and K. Govardhanan. 2018. Analysis of AES-GCM Cipher Suites C. B. Margi. 2017. Performance Evaluation of Cryptographic Algorithms over
in TLS. 102–111. https://doi.org/10.1007/978-3-319-68385-0_9 IoT Platforms and Operating Systems. Security and Communication Networks
[11] J.-P. Aumasson, L. Henzen, W. Meier, and M. Naya-Plasencia. 2010. Quark: A (2017), 1–16. https://doi.org/10.1155/2017/2046735
Lightweight Hash. Journal of Cryptology 26, 1–15. https://doi.org/10.1007/978- [41] H. Qiu, X. Wang, and F. Xie. 2017. A Survey on Smart Wearables in the Ap-
3-642-15031-9_1 plication of Fitness. 303–307. https://doi.org/10.1109/DASC-PICom-DataCom-
[12] J.-P. Aumasson, S. Neves, Z. Wilcox-O’Hearn, and C. Winnerlein. 2013. BLAKE2: CyberSciTec.2017.64
Simpler, Smaller, Fast as MD5. In Applied Cryptography and Network Security. [42] S. Ragupathy and M. Thirugnanam. 2017. Review on Communication Security
Springer Berlin Heidelberg, Berlin, Heidelberg, 119–135. Issues in IoT Medical Devices. 189.
[13] Paul Bischoff. 2020. Which countries have the worst (and best) cybersecurity? [43] S. Rawal, B. Rawal, A. Shaheen, and S. Malik. 2017. Phishing Detection in E-mails
https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/. using Machine Learning. Int. Journal of Applied Information Systems 12 (10 2017),
[14] N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki. 2019. Net- 21–24. https://doi.org/10.5120/ijais2017451713
work Intrusion Detection for IoT Security Based on Learning Techniques. IEEE [44] E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC
Communications Surveys Tutorials 21, 3 (2019), 2671–2701. 5246. RFC Editor. https://www.rfc-editor.org/rfc/rfc5246.txt
[15] A.B. Chebudie, R. Minerva, and D. Rotondi. 2015. Towards a definition of the [45] E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC
Internet of Things (IoT). Ph.D. Dissertation. 8446. RFC Editor. https://www.rfc-editor.org/rfc/rfc8446.txt
[16] M. Dabbagh and A. Rayes. 2017. Internet of Things Security and Privacy. 195–223. [46] S. Rizvi, RJ Orr, A. Cox, P. Ashokkumar, and M. R. Rizvi. 2020. Identifying
https://doi.org/10.1007/978-3-319-44860-2_8 the attack surface for IoT network. Internet of Things 9 (2020), 100162. https:
[17] M. Dikmen and C. Burns. 2017. Trust in autonomous vehicles: The case of Tesla //doi.org/10.1016/j.iot.2020.100162
Autopilot and Summon. In 2017 IEEE International Conference on Systems, Man, [47] A. Roukounaki, S. Efremidis, J. Soldatos, J. Neises, T. Walloschke, and N. Kefalakis.
and Cybernetics (SMC). 1093–1098. 2019. Scalable and Configurable End-to-End Collection and Analysis of IoT
[18] X. Du and X. Chang. 2014. Performance of AI algorithms for mining meaningful Security Data : Towards End-to-End Security in IoT Systems. 1–6. https://doi.
roles. Proceedings of the 2014 IEEE Congress on Evolutionary Computation, CEC org/10.1109/GIOTS.2019.8766407
2014, 2070–2076. https://doi.org/10.1109/CEC.2014.6900321 [48] R.Rishi and R. Saluja. 2019. Future of IoT. http://ficci.in/spdocument/23092/Future-
[19] E. Dubrova. 2018. Anti-tamper techniques. Technical Report. KTH Royal Institute of-IoT.pdf.
of Technology, Sweden. [49] J. Ruan, H. Jiang, C. Zhu, X. Hu, Y. Shi, T. Liu, W. Rao, and F Chan. 2019. Agricul-
[20] B. Farahani, F. Firouzi, and K. Chakrabarty. 2020. Healthcare IoT. 515–545. ture IoT: Emerging Trends, Cooperation Networks, and Outlook. IEEE Wireless
https://doi.org/10.1007/978-3-030-30367-9_11 Communications 26 (12 2019), 56–63. https://doi.org/10.1109/MWC.001.1900096
[21] T. Gopal, M. Meerolla, G. Jyostna, L. Eswari, and E. Magesh. 2018. Mitigating [50] D. Sahoo, C. Liu, and S. Hoi. 2017. Malicious URL Detection using Machine
Mirai Malware Spreading in IoT Environment. 2226–2230. https://doi.org/10. Learning: A Survey. (01 2017).
1109/ICACCI.2018.8554643 [51] D. Serpanos and M. Wolf. 2017. Security and Safety. In Internet-of-Things (IoT)
[22] S. Goswami, N. Hoque, Dhruba K Bhattacharyya, and Jugal Kalita. 2017. An Systems. Springer Int. Pub., 55–76. https://doi.org/10.1007/978-3-319-69715-4_6
unsupervised method for detection of XSS attack. International Journal of Network [52] A. Sharma and A. Thakral. 2020. Malicious URL Classification Using Machine
Security 19 (09 2017), 761–775. https://doi.org/10.6633/IJNS.201709.19(5).14 Learning Algorithms and Comparative Analysis. In Proc. of the 3rd Int. Conf. on
[23] J. Guo, T. Peyrin, and A. Poschmann. 2011. The PHOTON Family of Lightweight Computational Intelligence and Informatics, K. S. Raju, A. Govardhan, B. P. Rani,
Hash Functions. In Advances in Cryptology – CRYPTO 2011. Springer BH, 222–239. R. Sridevi, and M. R. Murty (Eds.). Springer Singapore, Singapore, 791–799.
[24] A. Hameed and A. Alomary. 2019. Security Issues in IoT: A Survey. 1–5. https: [53] J. Shetty. 2017. A State-of-Art Review of Docker Container Security Issues and
//doi.org/10.1109/3ICT.2019.8910320 Solutions. American International Journal of Research in Science, Technology,
[25] International. 2020. Global Cybersecurity Index. https://www.comparitech.com/ Engineering & Mathematics (01 2017).
blog/vpn-privacy/cybersecurity-by-country/. [54] A. Ukil, J. Sen, and S. Koilakonda. 2011. Embedded Security for Internet of Things.
[26] G. Kaur and M. Sohal. 2018. IOT Survey: The Phase Changer in Healthcare 1 – 6. https://doi.org/10.1109/NCETACS.2011.5751382
Industry. Int. Journal of Scientific Research in Network Security and Communication [55] E. Vasserman and N. Hopper. 2013. Vampire Attacks: Draining Life from Wireless
6 (04 2018), 34–39. https://doi.org/10.26438/ijsrnsc/v6i2.3439 Ad Hoc Sensor Networks. Mobile Computing, IEEE Trans. on 12 (02 2013), 318–332.
[27] J. King and A. I. Awad. 2016. A distributed security mechanism for Resource- https://doi.org/10.1109/TMC.2011.274
Constrained IoT Devices. 40 (01 2016), 133–143. [56] L. Xiao, X. Wan, X. Lu, Y. Zhang, and D. Wu. 2018. IoT Security Techniques Based
[28] Y. Lee, J. Lim, Y. Jeon, and J. Kim. 2015. Technology trends of access control in on Machine Learning. (01 2018).
IoT and requirements analysis. 1031–1033. https://doi.org/10.1109/ICTC.2015. [57] H. Xu, W. Yu, D. Griffith, and N. Golmie. 2018. A Survey on Industrial Internet of
7354730 Things: A Cyber-Physical Systems Perspective. IEEE Access 6 (2018), 78238–78259.
[29] S. Liu. 2020. Internet of Things - Statistics & Facts. https://www.statista.com/ https://doi.org/10.1109/ACCESS.2018.2884906
topics/2637/internet-of-things/. [58] L. Xu, W. He, and S. Li. 2014. Internet of Things in Industries: A Survey. IEEE
[30] K. L. Lueth. 2020. IoT 2019 in Review: The 10 Most Relevant IoT Developments Trans. on Industrial Informatics 10 (11 2014), 2233–2243. https://doi.org/10.1109/
of the Year. https://iot-analytics.com/iot-2019-in-review/. TII.2014.2300753
[31] A. Makiou, Y. Begriche, and A. Serhrouchni. 2014. Improving Web Application [59] W. Yang, S. Wang, J. Hu, Z. Guanglou, and C. Valli. 2019. Security and Accuracy
Firewalls to detect advanced SQL injection attacks. 2014 10th Int. Conf. on Inf. of Fingerprint-Based Biometrics: A Review. Symmetry 11 (01 2019), 141. https:
Assurance and Security (11 2014). https://doi.org/10.1109/ISIAS.2014.7064617 //doi.org/10.3390/sym11020141
[32] M. S. Mekala and V. Perumal. 2017. A Survey: Smart agriculture IoT with cloud [60] O. Yavanoglu and M. Aydos. 2017. A Review on Cyber Security Datasets for
computing. 1–7. https://doi.org/10.1109/ICMDCS.2017.8211551 Machine Learning Algorithms. https://doi.org/10.1109/BigData.2017.8258167
[33] Romanosky S. Mell P, Scarfone K. 2007. CVSS: a complete guide to the common [61] M. Zamani and M. Movahedi. 2013. Machine learning techniques for intrusion
vulnerability scoring system version 2.0. Technical Report. FIRST: forum of incident detection. arXiv preprint arXiv:1312.2177 (2013).
response and security teams.
�