Security Assessment in IoT Ecosystems Sotirios Evangelou Charilaos Akasiadis swtevag@gmail.com cakasiadis@iit.demokritos.gr Dept. of Electrical and Computer Engineering Institute of Informatics and Telecommunications University of Thessaly, Greece N.C.S.R. ‘Demokritos’, Greece ABSTRACT 79.4 ZettaBytes (ZB) [38], and the number of IoT products is also The Internet of Things (IoT) and "Smart Everything" trend is a re- rising, with publicly known IoT platforms in particular counting to ality that is becoming part of our daily lives. Consequently, there 620 in 2019 [29]. Such information illustrate the size of the IoT po- is a gradual increase in the deployment of real world IoT systems tential. Adoption and usage rates are continuously rising and such that attempt to make use of the various possibilities and benefits solutions are used to reinforce important aspects of the production the IoT offers. However, the connection of billions of—usually in- processes, including automation, monitoring and data analytics, herently insecure—devices in a network, paired with the lack of a towards sustainable and cost-effective processes. clear security framework for the development of IoT systems and Now, as with every disruptive technology, there are some chal- platforms has widened the attack surface of these systems leading lenges regarding IoT adoption as well. An important issue, that to them being targeted by malicious actors. In this paper, we ex- mainly comes up due to efforts in reducing investment costs, is plore the problem and related research, devise an assets taxonomy increased security risks. Throughout the years, multiple vulnera- and focus on the security requirements for each asset category. bilities and security incidents have affected IoT ecosystems. Thus, Then, we discuss countermeasures and good practices as well as focus is put into mitigating existing weaknesses and improving new approaches based on AI that improve security and intrusion the security posture of such products. Research on IoT Cybersecu- detection capabilities. We also introduce a metric that can be incor- rity covers a wide range of aspects, including the incorporation of porated by automated security auditing methods. The relevance of security in the SDLC, auditing methodologies, surveys on attacks this metric is evaluated with respect to correlation across findings and common vulnerabilities, studies on good practices, as well as from a real-world study. physical, hardware, software, and network security [1, 36]. In this work, we examine past research in the domain of security KEYWORDS for IoT, and present a high-level taxonomy of the assets that com- pose a typical IoT ecosystem. Then, we briefly describe methods for Security, Internet of Things, IoT Ecosystems, Artificial Intelligence, evaluating the security posture by focusing in each of the identified Asset Taxonomy assets, exploring insecure factors to assess desired requirements and highlight the aspects that could be reinforced. We cover a variety 1 INTRODUCTION of ecosystem entities, since each of the assets performs differently The Internet of Things (IoT) is a complex network that interconnects in the ecosystem, and provides diverse security propositions due to "things", i.e. uniquely identifiable programmable devices with phys- the different nature of the various technology stacks incorporated. ical sensing and/or actuation capabilities that form cyber-physical We establish a security baseline for each asset and collectively for systems. Such devices mainly sense data from the physical world the ecosystem itself. Additionally, we devise an index that combines and take actions, with the possibility to also inter-operate with aggregate real-world vulnerability data and their respective stan- processing services [15]. The benefits offered are quite a few and dardized scores (CVSS) into a single numerical value. Such an index they are currently being used in a wide range of use-cases, includ- can be incorporated in automated security assessment processes ing healthcare [20, 26], fitness [41], manufacturing [57, 58], and to compare security awareness and preparedness capacity of large agriculture industry [32, 49] among others. Ideas that would be IoT ecosystems. To illustrate applicability and effectiveness, we previously deemed far-fetched and futuristic, such as self driving perform a correlation analysis with data from a real-world study cars [17] and smart cities [34], are now realized. providing cybersecurity statistics from many countries. The statistics related to the IoT are so far remarkable, and more This paper is further structured as follows: In Section 2 we ex- or less depict the impact they induce in the modern life. According plore the previous related research. Section 3 provides a typical to IoT Analytics [30], in the end of 2019 the number of active IoT Internet of Things ecosystem asset taxonomy, and highlights the devices was estimated to be 9.5B, without counting mobile devices, security requirements that need to be put in place, proposing con- or inactive ones; this number is continuously increasing. During the trols, countermeasures, and best practices that can be applied to period of 2017-2025 the Compound Annual Growth Rate (CAGR) make each asset more secure. Section 4 presents a metric for cy- for the IoT connections is estimated to be 17% reaching 25 billion bersecurity awareness comparison between large device groups in 2025 and a 1.1 Trillion USD global market revenue according based on cumulative vulnerabilities to known attacks as well as to FICCI/EY [48]. The total data volume by 2025 is projected to be the results from an analysis on real-world data that validates the metric’s applicability Finally, in Section 5 we conclude and discuss AIT-CPS2020, September 02–04, 2020, Athens, Greece our future intentions. Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 2 RELATED WORK map of IoT domains with the vulnerabilities, attacks and security Given the widespread adoption of IoT in business processes and controls associated with these domains is also given. the every-day lives of individuals, an IoT product should not be In [16], the Internet of Things security challenges is analysed deemed ready to enter the market unless it fulfils some baseline and security requirements are presented such as the CIA triad - security requirements. Here, we provide an overview of related Confidentiality, Integrity, Availability. Then, a decomposition of the work describing such sets of requirements and recommendations. IoT architecture into three basic domains is performed, the cloud To begin, ENISA, the European Union Agency for Cybersecurity, domain containing the IoT applications and services, the sensing offers two significant reports providing baseline recommendations, domain containing the devices and their communication means, good practices, and guidelines for IoT product development, mainte- and the fog domain including everything that stands between the nance, and end-of-life management. In both of the reports, a detailed sensing and cloud domains. Authors delve into security vulnera- asset and threat taxonomy is presented, with a special emphasis in bilities and common attacks regarding these three domains, and the most critical parts, along with the impact and the stakeholders propose countermeasures for each of the cases explored. that they affect. The first report [1] also performs a gap analysis, Security is examined in different IoT layers in [51]. They assess and offers good practices and recommendations. However, the rec- security based on systems software and hardware controls, as well ommendations mostly focus on non-technical aspects and serve a as anti-tampering physical security techniques. Emphasis is given development, maintenance, and management strategy purpose. The on the network layer, and in particular on encryption, authenti- good practices report [2] of 2019 emphasises on the incorporation cation, secure routing, and key management for the encryption of security in the software development life cycle of IoT products, mechanisms. Denial of service (DoS) and distributed denial of ser- analysing each cycle phase, and presenting good practices. Three vice (DDoS) techniques are also referenced as a “popular” attack types are recognized, the "People" which affect all stakeholders and against IoT devices. The application layer security is also examined, phases, the "Processes" that affect the mechanisms surrounding the and methods for security-by-design and run-time monitoring of software project’s environment , and “Technologies” that consist the new Internet of Things products are proposed. of countermeasures and development good practices. Finally, [36], performs an in-depth survey on IoT vulnerability In another approach, the Infocomm Media Development Author- research. The paper sums up a variety of research focused into the ity presents an IoT Cybersecurity Guide that offers suggestions attack surface of IoT architectures, and presents a taxonomy of for the implementation and operational phase of the product and the collected results depending on different aspects—i.e., Layers, two checklists, a threat modelling checklist and a vendor disclosure Impact, Attacks, etc.—and maps the corresponding research to these checklist [3]. By using such checklists, potential vendors and devel- classifications. An empirical overview of the vulnerabilities is also opers can perform a self-assessment on the security posture of a presented, and the survey concludes with a presentation of the product in development, evaluating if it is secure and market-ready. most important security challenges, paired with possible future Here, we provide links to a thorough checklist, categorized by the initiatives to fight against each one. taxonomy of the IoT ecosystem. These threat analyses cover a wide range of the possible threats These works offer to vendors a defined set of requirements and concerning IoT infrastructures and products. Taking them into con- guidelines that should be applied to a newly developed IoT prod- sideration, in Section 3 we create a picture of the baseline security uct, so that it operates securely, adhering to privacy and safety requirements, and consequently the security measures that need to needs. This paper combines the identification of assets, the security be in place in order to protect IoT deployments from such threats. requirement assessment, and insecurity exploration, as well as a proposition of measures to address such insecurities. We approach 2.2 Artificial Intelligence-based Approaches the IoT ecosystem from a higher-level cyberphysical system’s view- point and address all the types of co-existing stakeholders, including Artificial Intelligence (AI) and Machine Learning (ML) techniques developers, system administrators, deployment infrastructure and are employed in a variety of methods for IoT security. Although end-users. We also focus on AI-related tools and programming manual labour and configuration are not yet fully replaceable in techniques that can be applied by the responsible teams to improve this domain, there is a number of aspects where AI techniques can the ‘marginal’ security of each asset. provide great results towards a secure IoT ecosystem. In [5], the use of artificial neural networks (ANNs) as an intrusion detection sys- tem to combat DDoS attacks is evaluated. A multilayer perceptron neural network (MLP) is used to create an anomaly-based intrusion 2.1 The Attack Surface of IoT detection system. Experiments in a custom IoT deployment shows a An important aspect in the cybersecurity domain, is the “attack great detection rate of 99%, while also providing a low false positive surface”, i.e. the sum of insecure entry points that a malicious actor rate, which is one of the most significant goals of an intrusion detec- could utilize in order to enter or attack an IoT system. tion system. Other than neural networks, techniques that perform In [46], there is a focus on the network aspect of IoT deployments. well into network intrusion detection are 𝑘-NN, Random Forest, They decompose a network into trust zones, and categorize existing and Support Vector Machines [35, 61]. devices into IoT domains (Finance, Home, Wellness etc.). Then, 14 Local malware scanning is also an aspect where artificial intelli- common vulnerabilities are mapped to common attacks like Denial gence techniques can be a great supplement to existing signature- of Service, Ransomware, and SCADA Trojan horses. Finally, security based techniques. While signature-based approaches can protect controls to mitigate these weak spots are presented, and a detailed against known malware, monitoring behaviour with AI techniques can often protect against new or unknown malware. In [56] there is 2.3 Security Evaluation on Existing IoT a proposition for the use of 𝑘-NN and Random Forest classification Solutions algorithms on collected traffic data to identify malware with a high As IoT continuously evolves, it is useful to frequently perform accuracy on standard datasets. The lack of resources in constrained security evaluations of widely used IoT platforms, frameworks, devices is also addressed, where the solution is to collect application devices, products, and protocols. By reviewing the security controls traces locally, and appoint the model training and predictions to a in products that are currently in use or available for sale across the capable and trusted external server. world, we can both see the common trends in security and their In [56], two unique use-cases are also reported, where ML can impact, as well as highlight the needs for more robust solutions. play a significant role in IoT devices. The first is for secure IoT In [9] a survey is presented on the architecture, hardware and off-loading as a method to combat jamming and Man In The Mid- software specifications, and security features regarding authen- dle (MITM) attacks. Using reinforcement learning, and specifically tication, authorization, and secure communications in multiple the Q-learning technique, the model takes into consideration the IoT frameworks developed by popular vendors. These products task priority, channel bandwidth, gain, and jamming power in or- are AWS IoT (Amazon), ARMbed (ARM), AzureIoT (Microsoft), der to decide on off-loading policies according to a Q-value that Brillo/Weave (Google), Calvin (Ericsson), Homekit (Apple), Kura indicates the long term reward from choosing this policy. Using (Eclipse) and Smart Things (Samsung). Considering the conclusions, this approach, the device can choose optimal offloading channels authors compare the chosen security controls and discover trends, and subbands in order to avoid interference and jamming as well such as the universal use of TLS/SSL and the popularity of AES as spoofing attacks. Convolutional neural networks can also be cryptography and X.509 certificates. used for the same purpose but they require more computational The security of IoT products created for the Smart Home domain resources than Q-learning. The second case of [56] regards authen- is examined in [7], including televisions, bulbs, etc. After decom- tication using ML methods in order to avoid spoofing attacks. By posing deployments into 4 parts, namely the device, the mobile using physical layer indicators, such as the received signal strength application, the cloud endpoint, and the communications, they pro- or the channel state information, learning techniques are able to ceed to explore existing research to identify the attack vectors of exploit the indicators’ connection to spatial characteristics in order each part. These are cross-referenced to a wide variety of home IoT to lure out connections that are initiated from outside a threshold products. Next, by using the CVSS (Common Vulnerability Scoring proximity, reducing this way spoofing rates. Other than Q-learning, System) standard [33] and associating every product with known both supervised (distributed Frank Wolfe and incremental aggre- CVEs (Common Vulnerabilities and Exposures) that are publicly gated gradient) and unsupervised algorithms (Infinite Gaussian known, they evaluate each product’s security posture. Mixture Model - IGMM) are used. For more resourceful devices, Meanwhile, there is research focusing in other domains as well, deep neural networks can also be applied to further improve the such as the Healthcare domain, e.g. in [42], where an evaluation accuracy rates. IGMM is also reported as a useful algorithm for of medical devices’ resiliency is performed to a plethora of attacks authentication by fingerprinting [24], where it is used to validate with an emphasis on the significance of cryptography. In the case of the credibility of the device by comparing the IGMM result with an Industrial IoT domain the work of [4] focuses on the security of such expected value depending on the device’s nature and shape. With deployments to explore a method of continuous risk assessment. respect to environmental changes, the model is able to distinguish a normal from a malicious one. 3 SECURITY AUDITING METHODOLOGY ML and essentially supervised learning methods usually require significant volumes of information termed as "Big Data" populating FOR IOT ECOSYSTEMS datasets used in security AI [60]. Information, apart from being The Internet of Things is a complex ecosystem that consists of mul- the input that affects a model’s decision, also plays a significant tiple significant components that one should be aware of. Moreover, role in training, improving prediction accuracy and validating its as far as cyber-security is concerned, each of these components efficiency. In order to leverage the advantages AI has to offer, we introduces its own security concerns resulting to a wider attack need to establish a way to collect, clean, and format corresponding surface. In this section we present a coordinated methodology for data. An infrastructure for collecting, storing and analysing big decomposing complex Internet of Things ecosystems into simpler data in IoT systems is presented in [47]. A data collection and categories, and identify essential security controls and practices actuation layer is introduced, with the collection aspect comprised that should be applied in these components in order to improve the of system- and application-level probes, a probe registry listing security of the overall ecosystem. all the used probes, and a data routing middleware to route the data to the respective recipients. The actuation aspect includes 3.1 Asset taxonomy on a typical IoT Ecosystem Security Policy Enforcement where the data collected can be used Despite the heterogeneity of IoT ecosystems that are currently to drive security decisions (e.g. disabling a service or closing a port) deployed in the real-world, there are some components that are and visualizations where collected data and analyses are being essentially the same in whichever ecosystem one decides to exam- displayed. The infrastructure also offers management agents and ine, and by identifying these components we can create an image configuration tools. of a typical IoT ecosystem, and this way generalise on its various assets and functionality. Figure 1 presents a typical IoT ecosystem and enumerates its basic assets, providing an asset taxonomy; we identify nine different basic assets, each with a separate role in the Internet of Things services/applications. This asset refers to ap- plications that perform logical operations on data provided by IoT devices, or databases and output results that benefit the Users. Most platforms provide a set of predefined services, and some of them also allow the creation of custom applications which are usually executed into virtualized environments. Back-end Servers. The back-end orchestrates the functionality of IoT platforms. It handles the interconnection and logical opera- tion of the different assets, specifically the databases, the message brokers, the web applications, and other IoT services. Deployment Infrastructure. This layer constitutes the basis of IoT platforms, either on edge, or cloud level. It refers to the physical servers where the platforms run, and the network deployment ( routing, DNS etc.) that allows the communication between users and devices, with the remote platform services. It also provides Figure 1: Asset Taxonomy of a typical IoT ecosystem connectivity capabilities to the platforms as well as bandwidth management. ecosystem, associated with different stakeholders, and introducing 3.2 Asset security requirements and its own security risks. The asset taxonomy approach is definitely not new [1]. Our taxonomy, however, takes into consideration the countermeasures human factor, as well as further decomposes the platform aspect The assets of this taxonomy can be found in the majority of IoT for more structured assessment of its parts, distinguishing the fol- ecosystems and can be used to decompose a specific ecosystem re- lowing asset categories: spectively, regardless of the different implementation and technical specifications. Such an approach makes the security assessment Users. The entities that constitute the end-users of the ecosys- simpler, as it focuses on the sub-surface that a researcher has to tem, and who benefit from its use. Users can be individual persons, audit each time. Now, each asset should be assessed sequentially organizations, companies, or even whole countries. Apart from and the methodology should inform the researcher of requirements profit makers, this category also includes participants beyond de- that need to be satisfied. Next, recommendations and best practices velopment or marketing professions. can be provided that will make each individual asset, and collec- tively the whole ecosystem, more secure. The propositions should Devices. Smart watches and smart home equipment, sensors, provide a secure and trusted baseline that the stakeholders of each surveillance cameras, and generally low-resource internet con- asset can build upon. Overall, there are some security measures nected devices, all fall under this asset category. The devices can and practices that are applicable to almost any asset category, and have both sensing and actuating capabilities. for that reason we discuss them first, in order to avoid repetition. Communication Channels. Communication channels are intan- (1) Keep everything up to date. Commercial systems and gible entities and present the mechanisms that allow the intercon- programs are constantly updating with new versions and nection and communication of users and devices to remote storage patches, often addressing one or more CVEs. Thus, it is im- and computation spaces called the cloud. portant to update the software versions regularly, since an internet search is enough for a malicious actor to inspect Message Brokers. The message brokers are entities that reside in and possibly harm a vulnerable system. the platform part of the ecosystem and are the main entrypoints (2) Backups. Frequent backups is an essential good practice for data coming from IoT devices. The message brokers typically that needs to be followed. Source code, database informa- support many application protocols in order to promote interoper- tion, configurations and other data that might be deleted ability and allow communication with other IoT devices. by mistake or malice should be kept in separate storage Web Applications. The web applications are the IoT platform’s medium, as backups with controlled access. This allows for entry points for Users, i.e. typical web interfaces that allow logging quick recovery of production and even identification of a in and performing the various actions that each platform provides. vulnerability in the event of a security incident. Examples include adding/removing devices, handling data and in- (3) Monitoring and Logging. Keeping information about change corporating logic, or exporting respective data from the platform. in states of assets is important. Logging significant events is useful for debugging, or, in our case, for inspecting security Database Systems. The database systems are responsible for stor- incidents. Monitoring is similar to logging, nevertheless pre- ing data. They can be relational or non-relational, depending on the senting results in more intuitive ways (e.g. real-time graphs), platform, and they are key components for various mechanisms, and raising alerts when behaviour deviates. Often, ML tech- such as authentication and authorization, data management, and niques build models based on such values to predict and the provisioning of data to IoT applications. avoid unwanted situations, such as DoS attacks. Based on the security control propositions that follow, we have 3.4 Devices compiled thorough checklists that summarize these measures.1 The Devices asset consists of every IoT device in the ecosystem. From a security perspective, the aspects of hardware, software 3.3 Users architecture and physical security of the device should be examined. In the ICT domain, the human factor is widely assumed to be the Physical security is defined by the controls that exist in place to most weak and exploitable one. The occasions in which the human protect against malicious activities from actors with physical access. factor becomes the reason for a security breach, mainly fall under There are a lot of techniques that users and device vendors can three categories: insider threats, careless and unaware personnel apply in order to improve the physical security of their product, e.g. or users, and lack of business security culture/strategy. make sure that the device is not accessible, or not leave physical One measure that is applied at scale for this type of asset, is ports exposed. AI biometric access control to the IoT devices is the signing of NDAs (Non Disclosure Agreements), legal contracts encouraged when combined with rule-based access such as pass- signed by the employees, that forbid them from disclosing infor- words, as AI substantially improves the accuracy of fingerprint, mation regarding the company to third parties, protecting this way facial or iris scans [59]. Additionally, tampering prevention mecha- the intellectual property of the organization. Another measure is nisms [19] should be considered, that make it difficult for someone the strict access control over the company’s assets; this can be to physically tamper the device, e.g. boards encapsulated, or coated achieved by monitoring access, logging, and analysis. Company- with specific materials such as epoxy or silicone. Security fuses wide policies for least privilege and segregation of duties can also are also widely used, and they are mechanisms of access control to be applied, so that access is given to only the assets that are abso- the on-chip memory. These mechanisms are usually built in a way lutely necessary for the completion of each employee’s function. that they destroy stored data in the case that someone attempts In this regard, AI technology can also contribute through User and to erase or reprogram them, as can happen for example with UV Entity Behavioral Analytics (UEBA), that monitor user behaviour lights in semi-invasive attacks. In many cases, tampering detectors to identify anomalies and potentially prevent malicious actions. are also installed into the device. This way many types of physical Tools like IBM QRadar UBA are able to monitor human factor be- attacks can be detected and be handled accordingly. Side channel haviour, assign roles and identify role behaviour deviations to alert attacks [8] are also a major threat for embedded devices. Passive on occasions like tool misconfigurations, sharing of credentials, or Side channel attacks resort to analysing times, power consumption admins changing user attributes [39]. and temperature during cryptographic operations in order to iden- Security awareness training is used to cultivate the personnel’s tify properties, algorithms used or even keys. Countermeasures security culture, awareness of good practices and sense of respon- insert randomness in order to render the analysis useless, by time sibility. Occasional briefing on security and simulation of attacks skewing, random heating, cache flushing, disabling or bypassing such as phishing from the security teams of companies to the rest and many more methods. of the teams, can help create good practice habits on the employees Internet of Things devices can also be severely susceptible to that can collectively improve the security posture of the company. Denial of Service attacks. Vampire attacks [55] attempt to drain the The power of machine learning can also be leveraged here, as algo- battery of ad-hoc wireless devices to induce DoS, where the nodes rithms such as kNN, SVM, Random Forest, Neural Networks as well shut down and do not communicate with the rest of the deployment. as unsupervised and similarity learning techniques perform well Mitigation controls include the ability to reroute at each node if a into detecting social engineering attacks such as phishing [6, 43] shorter route is known or introducing a no-backtracking metric that and malicious URL links [50, 52]. ensures the gradual progress network packets and avoids loops. DoS Regarding management strategies, which are not purely tech- can also be avoided through frequency hopping, using directional nical but could improve the security of the company significantly, antennas, or by spectrum spreading [16]. responsible vulnerability disclosure programs can be incorporated. Trusted computing [54] is another aspect of the embedded IoT Here, external researchers or regular users that manage to find a devices’ security. Trusted Execution Environments (TEEs) are pro- bug in a product can disclose it to the engineering teams of the cessing units that ensure the protection of included code and data. product so that it is quickly patched before it is exploited. In such Usually this is achieved by dedicated co-processors where security cases, the individual can be rewarded financially, or in another way, tasks are being offloaded from the main processor, and secure mem- depending on the severity of the found bug. This gives an incentive ory (dedicated on-chip RAM). Also, since outside the TEE data are for researchers to disclose the bugs responsibly and not person- not secure, there should be integrity checks for detecting modifica- ally profit from them with malicious activities. Another significant tions while outside. Secure booting is a significant feature of a TEE, measure is periodic company-wide risk and threat assessment, by as it verifies an image before it is executed, and in order to be suc- either the company’s internal security team or employment of ex- cessful secure storage of signatures and secure code for verification ternal “red” teams and penetration testers. Finally, security incident must be ensured. Therefore, the keys and signatures are written scenario strategies should be in place in order to define the actions into protected read-only memory called hardware root of trust, that that will take place in the worst case of a security breach so that usually is on-SoC (System on chip) OTP (one-time-programmable) the company can identify a potential security hole, patch it and hardware that acts as anchor for the chain of trust. recover from the breach as soon as possible. Firmware updates is another issue that should be addressed. It is suggested that firmware updates should be encrypted and 1 https://github.com/EvangelouSotiris/Security-Assessment-in-IoT- authenticated as well as be installed over the air (OTA) via secure Ecosystems_Summary-tables/raw/master/Summary_tables.pdf protocol channels. Finally, application whitelisting is a popular So far, we have assumed that the devices have the capabilities of method for avoiding malware installed inside the device. In [21], a establishing a TLS connection with a remote server. In some low- store of binary checksums collected at a clean device state is used resourced devices though this is not the case, and the minimum to block untrusted software execution and prevent its spreading. threshold for TLS-based solutions is 10KBs of RAM and 100KBs of Malware detection in IoT devices can also be performed by static ROM. In these situations a middleware is needed to provide the analysis of high level features using multiple classifiers like RIPPER, TLS-based communication for the constrained IoT devices [27]. SVM, neural networks and more [37]. 3.6 Message Brokers 3.5 Communication Channels Message brokers are the entry points of IoT device data to the IoT Inside an IoT ecosystem, devices need to communicate. The data platform, and they usually work with multiple application layer exchanged within the communication channels can be sensitive protocols such as HTTP (REST), MQTT and CoAP. TLS and X.509 and private, thus eavesdropping and tampering must be avoided. certificates are the way to secure communication between devices Cryptography is the method that is widely used in order to avoid and message brokers, as already discussed. If mutual authentication typical MITM attacks, and Transport Layer Security (TLS) is the is configured, this is the asset to perform device authentication and standardized solution for secure encrypted communication. Specifi- determine access rights. Otherwise, authentication with passwords cally, TLSv1.2 and TLSv1.3 are the standardized (defined in RFC5246 or tokens can also be implemented, where the broker can rely on [44] and RFC8446 [45] respectively) non-deprecated protocol ver- the back-end for authentication purposes. sions used at the moment. The use of TLS assures confidentiality, Another security measure that can be typically implemented authentication, and integrity. TLSv1.3 provides faster and more se- here, is authorization and access control, so that IoT devices can cure communication than 1.2, with more features such as Forward publish to a particular topic, with their data are used by the intended Secrecy. Lastly, TLS provides the capability for two-way authenti- subscribers alone, and vice versa so that subscribers ensure that cation. Servers carry X.509 certificates to be trustworthy but clients the data originate from specific trusted publishers. Each Message can also carry certificates signed by a trusted CA. This can be useful Queue/Broker server usually provides a certain way of defining in the ecosystem of IoT in order to authenticate devices that send access control and authorization policies, but the two most common data to the cloud applications. When TLS client certificates are not approaches are Access Control Lists (ACL) which are lists that preferred, the devices can be authenticated through the use of AI associate users with permissions and Role-Based Access Control algorithms for proximity-based or fingerprint-based authentication, (RBAC) where roles are associated with permissions and users can where IGMM, Q-learning and neural networks are found to produce have one or multiple roles, inheriting their permissions. Genetic highly accurate results [24, 56]. Algorithms can be used for role-mining in order to automatically The use of cryptography, however, presents the engineers with a create roles and define RBAC policies [18]. [28] also presents some significant tradeoff in the case of Internet of Things devices. Over- other authorization trends such as UCON (Usage control) which heads in time and processing power happen during the calculations is used for continuously mutating authorization factors such as for encrypting, decrypting and key generating and exchanging. pay-per-view or metered payment situations and CapBAC which Consequently, there is a need to use lightweight algorithms for uses tokens to associate users with specific capabilities. these security tasks that will not compromise the security posture of a potential IoT device, neither will it compromise the device’s performance and latency in performing its functionalities. 3.7 Web Application Interfaces Starting off with assymetric cryptography, between the two op- Web applications usually are the asset that offer the largest attack tions in Diffie-Hellman (DH) and RSA, the first is preferred, and surface since they provide a wide range of functionalities triggered mostly its version leveraging elliptic curves (ECC) and featuring for- by user actions, and they are fully visible to the public. There are ward secrecy - Elliptic Curves Diffie Hellman Ephemeral (ECDHE). numerous ways to “harm” a web application, and there are also On symmetric cryptography, AEAD algorithms that encrypt and various tools available to help to this end. Here as well, encryption authenticate in one pass are gaining popularity, with AES-GCM and between users and the front-end is essential. the ChaCha20-Poly1305 combination being the most secure, fast A well known category is the injection attacks. This refers to com- and least resource intensive options. ChaCha20-Poly1305 is pro- mands being passed to an interpreter or another program, where posed in [10] as the favorable option for smart devices in TLSv1.3, part of the commands is derived from user input. SQL, NoSQL, but in TLSv1.2 AES-GCM is proposed, especially with the perfor- LDAP, and OS injections belong to this category. User input valida- mance spike in devices with specific instructions for hardware tion and sanitation is needed to constrain the choices the user has in acceleration in specific cryptographic steps. the data entered. Moreover, access control should be implemented Regarding hashing algorithms, the performance evaluation gen- correctly and carefully so that users only have access to authorized erally seems to have minimal significance compared to e.g. the content. The authorization is mostly implemented with middleware latency and energy consumption of asymmetric algorithms. Nev- software between function calls that acknowledges whether the ertheless, in [40] there is a study on hashing algorithms in IoT user is authorised to access the functionality after the middleware. platforms and embedded devices, where Blake2 [12] is found to General web application attacks are also relevant here, such as cross- be more lightweight, energy efficient and fast. Other lightweight site scripting, external XML entities (XXEs), information-exposing hashing families of algorithms are Photon [23] and Quark [11]. error reporting, unprotected assets and more. The identification of such vulnerabilities is based into detecting Whenever the execution of a process needs to be controlled, the entrypoints of user input and applying validation and escaping there is a need for isolated environments, and the solution is usu- when this input is going to be used into HTML, CSS, Javascript ally through virtualization. These types of environments are capable and generally any interpretable content, or using modern frontend of running non-trusted programs or opening non-trusted files that frameworks that tend to provide automatic sanitization e.g. Angular. could potentially be malicious inside a controlled environment with- The use of security tools for web applications testing is applicable out directly affecting the server in which they reside. Containers here as well, such as Arachni, OWASP ZAP, W3af and Wfuzz. Fi- are heavily preferred for application deployment as they are fast nally, web application firewalls can help mitigate lots of attacks to deploy and kill, and easier to control. Containers have some through a mixture of the traditional signature-based approach and inherent security characteristics but there is a number of measures supervised or unsupervised Machine Learning techniques to handle that can be taken to protect the system whenever containers run unknown injection attacks [22, 31]. non-trusted user code. [53] propose to run containers inside a VM in order to add the virtual kernel layer of security in the case of a 3.8 Database Systems container escape. Other measures to increase security are running the programs created by the user as non-root and with least privi- Databases are the assets that hold the majority of the data of the IoT leges, and in secure minimal container images containing just the ecosystem, as well as the functionality to access it. The information necessary binaries that each program functionality requires. Also, stored should be protected in terms of confidentiality and integrity. restricted versions of programming languages are usually employed, Starting with the SQL injection vulnerability mentioned previously, in order to avoid language-specific capabilities such as execution of stored procedures was proposed as a way to limit outer effect to shell commands. Lastly, in some cases the spawned services might internal queries. Access control in query capabilities is also essential. attempt to starve the host of resources for prolonged timeframes. The user that makes the queries should not be ‘root’, but should only Thus, there should be a time and resource (CPU, Memory, Storage) have restricted authorization. Furthermore, the databases should quota on the spawned containers in order to avoid this kind of DoS not be directly exposed to the internet where remote malicious incidents. Also, the network accessibility of the containers should actors could potentially gather information, as well as send payloads be controlled and constrained to the extent possible. for penetration testing. Data, and essentially sensitive data should be protected, e.g. in the incident of an information leakage; credential information such as passwords should be hashed, and the authentication should be performed by comparing the hash of the password given by the login form with the password hash located in the database, so that 3.10 Backend Servers even if the case that this hash is leaked, the malicious actor cannot Backend is the asset where the functionality of the different parts of discover the original password without bruteforcing. Additionally, the IoT platform is orchestrated. Data is received there and stored the whole database could be encrypted though that does come with into databases, or sent to processing services. Also, communications a trade-off in the latency (and potential insecurity) that the middle- with the Frontend Web Applications are facilitated to address user ware application that encrypts and decrypts the data introduces. requests. The backend also provides functionality over the Internet, Cryptographic key management is also an issue that should be mostly through Application Programming Interfaces (APIs). Web tackled in the database asset level. Private, Symmetric and Hash application and Database Security have already been discussed in keys that are used to encrypt, decrypt or digitally sign data need their respective sub chapters, so here the focus is to the APIs used to be kept on a secure storage where they are accessed only by either by other assets or external users. authenticated users, mostly developers. First and foremost, these First, the publicly exposed APIs should be protected with encryp- keys should not be kept in the database with the data they protect, tion in order to avoid eavesdropping. Also, authentication should and if possible not even in the same server. In the case they are be enforced in order to use the API, usually through API tokens. placed in the same server, they should be given appropriate read- Authorization should also be kept in mind since, the APIs must write-execute permissions. A solution heavily proposed, although ensure that the user only accesses and uses the content he is au- expensive, are Hardware Security Modules (HSMs) which are hard- thorized for. The rate of the requests is another factor that needs ware solutions for keeping keys and performing cryptographic to be accounted for in order to avoid DoS situations and make tasks for the server. the API scalable. Rate limiting can be implemented in many ways, with the most popular being putting the request in message queues 3.9 Processing Services and process each one in a specific rate, or throttling of the user’s The driving force of IoT are applications and services that process connection (bandwidth limiting) upon detection of surpassing the incoming data from the devices and forward results to users, or request rate. Input parameter validation should be made in the API other devices and applications. A range of preset applications is requests as with any entry point, using rules to enforce consistency usually provided by the platform to the users, but most of the com- with the API’s expectations. The validation could be implemented mercial platforms also allow users to create their own applications, as a middleware receiving the requests at an API gateway which deploy, and share them with the community. As with any user input could be used for other reasons as well, such as monitoring API and especially executable content in this case, several security risks traffic and applying machine learning and AI to find deviations are posed for the platform and should be carefully handled. from normal behaviour and flag possible attack attempts. 3.11 Deployment Infrastructure that can indicate how updated and secure against harmful remote A substantial part of the IoT ecosystem is hosted on cloud or edge cyberattacks a country’s systems are, and, consequently, assess each infrastructure. Starting from physical security, the infrastructure is country’s security awareness. This measure is termed as LSAR, for expected to have strict access control with multi-factor authenti- Lack of Security Awareness Ratio. In theory, high values of LSAR cation to the machines and other assets, camera surveillance and indicate greater density of vulnerable and exploitable devices in a a great resiliency to physical disasters. Device and network mon- group of devices, deeming that group as a more possible target of itoring is also imperative, with alerts triggered in case of strange malicious actors than one with a smaller LSAR. Í behaviour. Strict control should also exist in the application level, (#𝑂𝑐𝑐𝑢𝑟𝑒𝑛𝑐𝑒𝑠𝑖 × 𝐶𝑉 𝑆𝑆𝑠𝑐𝑜𝑟𝑒𝑖 × 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦𝑠𝑐𝑜𝑟𝑒𝑖 ) 𝐿𝑆𝐴𝑅 = 𝑖 with secure, authenticated, and authorised management software #𝐷𝑒𝑣𝑖𝑐𝑒𝑠 on the provider’s side. On deployment, CSPs should ensure VM where quotas are met, and VMs are isolated when the deployment is not 𝑖 ∈ {CVE-X|𝐶𝑉 𝑆𝑆𝑠𝑐𝑜𝑟𝑒𝑖 > 6.0 ∩ 𝑉 𝑒𝑐𝑡𝑜𝑟𝑖 ∉ 𝐿𝑜𝑐𝑎𝑙, 𝑃ℎ𝑦𝑠𝑖𝑐𝑎𝑙 } on a dedicated machine. Cyberthreat detection is also required in order to provide ap- propriate protection. Multi-technology systems are deployed in The resulting LSAR values are shown in Table 1: strategic network locations for this purpose, such as Network Intru- sion Detection systems (NIDS) and Network Intrusion Prevention Table 1: Top 20 countries by LSAR Systems (NIPS) that essentially combine the NIDS real-time threat detection with linkage to firewall rules in order to block those 0 HTI 1.422832 10 MYS 0.404316 threats. These systems are based on anomaly detection techniques 1 UZB 1.164537 11 TWN 0.398422 to detect deviations from normal behaviour and block untrusted 2 ZWE 0.782047 12 PER 0.397818 data packets before they reach the hosts. This approach allows not 3 HKG 0.721822 13 TJK 0.392794 only protection against known attacks, which could very well be 4 ETH 0.636363 14 ZAF 0.379868 avoided by the firewall rules, but also against unknown attacks 5 JOR 0.522041 15 SEN 0.372707 in some cases. Many machine learning techniques perform well 6 PNG 0.455162 16 GTM 0.348438 in intrusion detection including Neural Networks (CNNs, MLPs), 7 LBN 0.451086 17 CHN 0.331362 SVMs, Naive Bayes, Decision Trees and Logistic Regression [14]. 8 MRT 0.441238 18 SLE 0.323695 Having defined the security controls for each asset in the taxon- 9 KGZ 0.405626 19 BTN 0.321850 omy, in what follows, we present a metric that can be used to col- lectively assess the security awareness in large pools of IoT-enabled Results include the countries with the biggest LSAR metrics, devices, in order to highlight the vulnerabilities to be addressed. meaning the countries with the least security preparedness against known exploits and remote cyberattacks, hence least security aware- ness. To validate LSAR, we compare it with results from a sur- 4 LACK OF SECURITY AWARENESS RATIO vey [13] for the best and worst security in countries. The survey We hereby define a metric that can be incorporated to show how includes data up to March 2020, which is adequately close to data well protected an IoT ecosystem is, by examining a number of collection from Shodan for the LSAR computation (late April, 2020). indicators that can be retrieved without authorized access to assets. In this survey, countries are ranked for the percentage of mobile de- The data used to compute our metric are collected using Shodan, vices and computers infected with malware, the number of financial a global crawler for Internet-connected devices. It scans global IPs, malware attacks, the percentage of all telnet attacks by originating collects information such as the organization name, location, do- country, of users attacked by cryptominers, and the best-prepared main name, open ports, services, and attempts to grab the banner of countries for cyber attacks. the audited services to learn more specific information, e.g. version, Combining this survey’s results with LSAR, 65 countries belong and then map it with specific CVE vulnerabilities. Using Shodan in both of the datasets and thus can be compared. We explore the API, we initially collect information about the number of internet correlation between the LSAR feature and the features introduced connected devices globally categorised by country, for the top 200 by the Comparitech survey. Results are shown in Fig. 2 and Fig. 3, results, excluding those with population of less than 300,000. for the Pearson and Spearman correlation coefficients, respectively. First, we determine the number of devices found vulnerable with LSAR has a moderate uphill relationship with cryptomining specific vulnerabilities with CVE identification numbers. Next, the attacks (+0.52,+0.54 correlation coefficients). This means that a high weighted sum of them was computed for each country using as LSAR is correlated with a high percentage of cryptomining attacks. weights their CVSS score, and their exploitability score. From the These, being one of the most popular uses of botnets, tend to target calculated vulnerabilities with less than 6.0 CVSS score or Local/- remotely exploitable devices, in order to amass computing power Physical attack vector were excluded in order to keep only severe for mining operations in blockchain cryptocurrencies. and relatively easily remotely exploitable vulnerabilities. In that LSAR has a moderate uphill relationship with financial malware regard, it was assumed that devices with vulnerabilities in that attacks, malware targeting bank accounts to steal money from category would most likely become a cyber-attack target because victims (+0.58,+0.46 correlation coefficients). While this correlation of the ease of exploit and impact that a malicious actor can deliver. validates the relationship of high LSAR with high percentage of Dividing the weighted sum of vulnerabilities per country with malware targeting the victim, we require additional data which are the number of internet connected devices in each, results to a metric hard to acquire to explore whether this assumption is valid. fact that most of it deviates from attacks like phishing, downloaded malware disguised as a useful program or infected drives. The case of the Shodan findings is the vulnerability to external cyberattacks so a huge proportion of the variability that could be explained is missed, thus the insignificant correlation with mobile and computer malware. Telnet attacks and LSAR also have insignificant correla- tion which is explained from the fact that they are bruteforcing attacks, not CVE-specific exploits. Summarizing, we can see that even the omission of a simple activity such as consistent updating of software to secure versions can compromise the security of a device, and collectively widen the attack surface of the device’s environment. The LSAR is a metric that can be used to assess the security posture of a large group of internet connected devices, owned and handled by different individuals or organizations by checking the exposure to potential common vulnerabilities (CVEs). Apart from countries, large groups of machines/devices could also be considered to be Wide Area Networks (WAN), geographical regions such as cities, or even large Figure 2: Pearson correlation coefficient data centers were the VM could take the place of devices, and in those cases LSAR can provide a general view of the awareness of security as well as the density of vulnerable points inside the group. 5 CONCLUSIONS In this paper, we established a structured methodology towards assessing the security posture of an Internet of Things ecosystem and reinforcing it. This is achieved through a divide and conquer approach where we decompose the ecosystem into the assets that compile it, inspecting each asset’s attack surface, defining security requirements, and proposing mitigations or good practices. This work aspires to become a handy guide for developers, researchers, engineers or managers working on the IoT domain, and contribute to the vast research towards secure IoT deployments and products. Potential future work includes a practical application of the defined methodology into a real IoT ecosystem focused on a specific use- case, such as a power-grid or a vehicular Ad-hoc network. Such an approach could validate the methodology’s applicability and usability as well as yield potential insecure factors that this work has not yet taken consideration of. Figure 3: Spearman correlation coefficient ACKNOWLEDGMENTS Charilaos Akasiadis acknowledges partial support of this work by LSAR and the best-prepared metric of the Comparitech survey the project SYNTELESIS “Innovative Technologies and Applications have a moderate downhill relationship (-0.28,-0.30 correlation co- based on the Internet of Things (IoT) and the Cloud Computing” efficients), which is expected. This further validates our findings (MIS 5002521), which is implemented under the “Action for the rendering LSAR as a metric to check the security posture of a sum Strategic Development on the Research and Technological Sec- of devices, in this case a country. The coefficients are not very tor”, funded by the Operational Programme “Competitiveness, En- high, which could be explained from the specificity of the use case trepreneurship and Innovation” (NSRF 2014-2020), and co-financed of the Shodan findings (external attacks) compared to the best- by Greece and the European Union (European Regional Develop- prepared feature which is derived from the Global Cybersecurity ment Fund). Index scores [25]. The GCI score performs a general security evalu- ation on a country’s cybersecurity including factors such as cyber REFERENCES crime legislations and information extracted from questionnaires, [1] 2017. Baseline Security Recommendations for IoT: in the context of critical infras- hence the index is not fully consistent with our case. tructures. Technical Report. ENISA: European Union Agency for Cybersecurity. LSAR has a weak uphill relationship with mobiles infected with [2] 2019. Good Practices for Security of IoT: Secure Software Development Lifecycle. Technical Report. ENISA: European Union Agency for Cybersecurity. malware. Additionally, there is a non-significant relationship of [3] 2019. Guidelines: Internet of Things (IoT) Cybersecurity Guide. Technical Report. LSAR with computer malware which could be explained from the Infocomm Media Development Authority. [4] C. Adaros Boye, P. Kearney, and M. Josephs. 2018. Cyber-Risks in the Industrial [34] S. Mohanty. 2016. Everything You Wanted to Know About Smart Cities. IEEE Internet of Things (IIoT): Towards a Method for Continuous Assessment. In Cons. Electronics Mag. 5 (2016), 60–70. https://doi.org/10.1109/MCE.2016.2556879 Information Security. Springer Int. Publishing, 502–519. [35] S. Mukkamala, G. Janoski, and A. Sung. 2002. Intrusion detection using neural [5] T. Ahanger. 2018. Defense Scheme to Protect IoT from Cyber Attacks using AI networks and support vector machines. Proc. of the Int. Joint Conf. on Neural Principles. Int. Journal of Computers Communications & Control 13 (11 2018), Networks 2, 1702 – 1707. https://doi.org/10.1109/IJCNN.2002.1007774 915–926. https://doi.org/10.15837/ijccc.2018.6.3356 [36] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani. 2019. De- [6] A. A. Akinyelu and A. O. Adewumi. 2014. Classification of Phishing Email Using mystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a Random Forest Machine Learning Technique. Journal of Applied Mathematics First Empirical Look on Internet-Scale IoT Exploitations. IEEE Communications 2014 (03 Apr 2014), 425731. https://doi.org/10.1155/2014/425731 Surveys Tutorials 21, 3 (2019), 2702–2733. [7] O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose. 2019. SoK: Security [37] Q.-D. Ngo, H.-T. Nguyen, V.-H. Le, and D.-H. Nguyen. 2020. A survey of IoT Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Secu- malware and detection methods based on static features. ICT Express (2020). rity and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA. https: https://doi.org/10.1016/j.icte.2020.04.005 //doi.org/10.1109/SP.2019.00013 [38] S. O’Dea. 2020. Data volume of IoT connected devices worldwide 2018 and [8] J. Ambrose, R. Ragel, D. Jayasinghe, T. Li, and S. Parameswaran. 2015. Side 2025. https://www.statista.com/statistics/1017863/worldwide-iot-connected- channel attacks in embedded systems: A tale of hostilities and deterrence. 2015 devices-data-size/. (04 2015), 452–459. https://doi.org/10.1109/ISQED.2015.7085468 [39] M. Patel. 2017. QRadar UBA App Adds Machine Learning and Peer Group Anal- [9] M. Ammar, G. Russello, and B. Crispo. 2018. Internet of Things: A survey on the yses to Detect Anomalies in Users’ Activities. Technical Report. SecurityIntelli- security of IoT frameworks. Journal of Information Security and Applications 38 gence.com. (2018), 8–27. https://doi.org/10.1016/j.jisa.2017.11.002 cited By 144. [40] G. C. C. F. Pereira, R. C. A. Alves, F. L. da Silva, R. M. Azevedo, B. C. Albertini, and [10] B. Arunkumar and K. Govardhanan. 2018. Analysis of AES-GCM Cipher Suites C. B. Margi. 2017. Performance Evaluation of Cryptographic Algorithms over in TLS. 102–111. https://doi.org/10.1007/978-3-319-68385-0_9 IoT Platforms and Operating Systems. Security and Communication Networks [11] J.-P. Aumasson, L. Henzen, W. Meier, and M. Naya-Plasencia. 2010. Quark: A (2017), 1–16. https://doi.org/10.1155/2017/2046735 Lightweight Hash. Journal of Cryptology 26, 1–15. https://doi.org/10.1007/978- [41] H. Qiu, X. Wang, and F. Xie. 2017. A Survey on Smart Wearables in the Ap- 3-642-15031-9_1 plication of Fitness. 303–307. https://doi.org/10.1109/DASC-PICom-DataCom- [12] J.-P. Aumasson, S. Neves, Z. Wilcox-O’Hearn, and C. Winnerlein. 2013. BLAKE2: CyberSciTec.2017.64 Simpler, Smaller, Fast as MD5. In Applied Cryptography and Network Security. [42] S. Ragupathy and M. Thirugnanam. 2017. Review on Communication Security Springer Berlin Heidelberg, Berlin, Heidelberg, 119–135. Issues in IoT Medical Devices. 189. [13] Paul Bischoff. 2020. Which countries have the worst (and best) cybersecurity? [43] S. Rawal, B. Rawal, A. Shaheen, and S. Malik. 2017. Phishing Detection in E-mails https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/. using Machine Learning. Int. Journal of Applied Information Systems 12 (10 2017), [14] N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki. 2019. Net- 21–24. https://doi.org/10.5120/ijais2017451713 work Intrusion Detection for IoT Security Based on Learning Techniques. IEEE [44] E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC Communications Surveys Tutorials 21, 3 (2019), 2671–2701. 5246. RFC Editor. https://www.rfc-editor.org/rfc/rfc5246.txt [15] A.B. Chebudie, R. Minerva, and D. Rotondi. 2015. Towards a definition of the [45] E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC Internet of Things (IoT). Ph.D. Dissertation. 8446. RFC Editor. https://www.rfc-editor.org/rfc/rfc8446.txt [16] M. Dabbagh and A. Rayes. 2017. Internet of Things Security and Privacy. 195–223. [46] S. Rizvi, RJ Orr, A. Cox, P. Ashokkumar, and M. R. Rizvi. 2020. Identifying https://doi.org/10.1007/978-3-319-44860-2_8 the attack surface for IoT network. Internet of Things 9 (2020), 100162. https: [17] M. Dikmen and C. Burns. 2017. Trust in autonomous vehicles: The case of Tesla //doi.org/10.1016/j.iot.2020.100162 Autopilot and Summon. In 2017 IEEE International Conference on Systems, Man, [47] A. Roukounaki, S. Efremidis, J. Soldatos, J. Neises, T. Walloschke, and N. Kefalakis. and Cybernetics (SMC). 1093–1098. 2019. Scalable and Configurable End-to-End Collection and Analysis of IoT [18] X. Du and X. Chang. 2014. Performance of AI algorithms for mining meaningful Security Data : Towards End-to-End Security in IoT Systems. 1–6. https://doi. roles. Proceedings of the 2014 IEEE Congress on Evolutionary Computation, CEC org/10.1109/GIOTS.2019.8766407 2014, 2070–2076. https://doi.org/10.1109/CEC.2014.6900321 [48] R.Rishi and R. Saluja. 2019. Future of IoT. http://ficci.in/spdocument/23092/Future- [19] E. Dubrova. 2018. Anti-tamper techniques. Technical Report. KTH Royal Institute of-IoT.pdf. of Technology, Sweden. [49] J. Ruan, H. Jiang, C. Zhu, X. Hu, Y. Shi, T. Liu, W. Rao, and F Chan. 2019. Agricul- [20] B. Farahani, F. Firouzi, and K. Chakrabarty. 2020. Healthcare IoT. 515–545. ture IoT: Emerging Trends, Cooperation Networks, and Outlook. IEEE Wireless https://doi.org/10.1007/978-3-030-30367-9_11 Communications 26 (12 2019), 56–63. https://doi.org/10.1109/MWC.001.1900096 [21] T. Gopal, M. Meerolla, G. Jyostna, L. Eswari, and E. Magesh. 2018. Mitigating [50] D. Sahoo, C. Liu, and S. Hoi. 2017. Malicious URL Detection using Machine Mirai Malware Spreading in IoT Environment. 2226–2230. https://doi.org/10. Learning: A Survey. (01 2017). 1109/ICACCI.2018.8554643 [51] D. Serpanos and M. Wolf. 2017. Security and Safety. In Internet-of-Things (IoT) [22] S. Goswami, N. Hoque, Dhruba K Bhattacharyya, and Jugal Kalita. 2017. An Systems. Springer Int. Pub., 55–76. https://doi.org/10.1007/978-3-319-69715-4_6 unsupervised method for detection of XSS attack. International Journal of Network [52] A. Sharma and A. Thakral. 2020. Malicious URL Classification Using Machine Security 19 (09 2017), 761–775. https://doi.org/10.6633/IJNS.201709.19(5).14 Learning Algorithms and Comparative Analysis. In Proc. of the 3rd Int. Conf. on [23] J. Guo, T. Peyrin, and A. Poschmann. 2011. The PHOTON Family of Lightweight Computational Intelligence and Informatics, K. S. Raju, A. Govardhan, B. P. Rani, Hash Functions. In Advances in Cryptology – CRYPTO 2011. Springer BH, 222–239. R. Sridevi, and M. R. Murty (Eds.). Springer Singapore, Singapore, 791–799. [24] A. Hameed and A. Alomary. 2019. Security Issues in IoT: A Survey. 1–5. https: [53] J. Shetty. 2017. A State-of-Art Review of Docker Container Security Issues and //doi.org/10.1109/3ICT.2019.8910320 Solutions. American International Journal of Research in Science, Technology, [25] International. 2020. Global Cybersecurity Index. https://www.comparitech.com/ Engineering & Mathematics (01 2017). blog/vpn-privacy/cybersecurity-by-country/. [54] A. Ukil, J. Sen, and S. Koilakonda. 2011. Embedded Security for Internet of Things. [26] G. Kaur and M. Sohal. 2018. IOT Survey: The Phase Changer in Healthcare 1 – 6. https://doi.org/10.1109/NCETACS.2011.5751382 Industry. Int. Journal of Scientific Research in Network Security and Communication [55] E. Vasserman and N. Hopper. 2013. Vampire Attacks: Draining Life from Wireless 6 (04 2018), 34–39. https://doi.org/10.26438/ijsrnsc/v6i2.3439 Ad Hoc Sensor Networks. Mobile Computing, IEEE Trans. on 12 (02 2013), 318–332. [27] J. King and A. I. Awad. 2016. A distributed security mechanism for Resource- https://doi.org/10.1109/TMC.2011.274 Constrained IoT Devices. 40 (01 2016), 133–143. [56] L. Xiao, X. Wan, X. Lu, Y. Zhang, and D. Wu. 2018. IoT Security Techniques Based [28] Y. Lee, J. Lim, Y. Jeon, and J. Kim. 2015. Technology trends of access control in on Machine Learning. (01 2018). IoT and requirements analysis. 1031–1033. https://doi.org/10.1109/ICTC.2015. [57] H. Xu, W. Yu, D. Griffith, and N. Golmie. 2018. A Survey on Industrial Internet of 7354730 Things: A Cyber-Physical Systems Perspective. IEEE Access 6 (2018), 78238–78259. [29] S. Liu. 2020. Internet of Things - Statistics & Facts. https://www.statista.com/ https://doi.org/10.1109/ACCESS.2018.2884906 topics/2637/internet-of-things/. [58] L. Xu, W. He, and S. Li. 2014. Internet of Things in Industries: A Survey. IEEE [30] K. L. Lueth. 2020. IoT 2019 in Review: The 10 Most Relevant IoT Developments Trans. on Industrial Informatics 10 (11 2014), 2233–2243. https://doi.org/10.1109/ of the Year. https://iot-analytics.com/iot-2019-in-review/. TII.2014.2300753 [31] A. Makiou, Y. Begriche, and A. Serhrouchni. 2014. Improving Web Application [59] W. Yang, S. Wang, J. Hu, Z. Guanglou, and C. Valli. 2019. Security and Accuracy Firewalls to detect advanced SQL injection attacks. 2014 10th Int. Conf. on Inf. of Fingerprint-Based Biometrics: A Review. Symmetry 11 (01 2019), 141. https: Assurance and Security (11 2014). https://doi.org/10.1109/ISIAS.2014.7064617 //doi.org/10.3390/sym11020141 [32] M. S. Mekala and V. Perumal. 2017. A Survey: Smart agriculture IoT with cloud [60] O. Yavanoglu and M. Aydos. 2017. A Review on Cyber Security Datasets for computing. 1–7. https://doi.org/10.1109/ICMDCS.2017.8211551 Machine Learning Algorithms. https://doi.org/10.1109/BigData.2017.8258167 [33] Romanosky S. Mell P, Scarfone K. 2007. CVSS: a complete guide to the common [61] M. Zamani and M. Movahedi. 2013. Machine learning techniques for intrusion vulnerability scoring system version 2.0. Technical Report. FIRST: forum of incident detection. arXiv preprint arXiv:1312.2177 (2013). response and security teams.