Optimal Deployments of Defense Mechanisms for the Internet of Things

08/01/2019 ∙ by Mengmeng Ge, et al. ∙ Deakin University Virginia Polytechnic Institute and State University 0

Internet of Things (IoT) devices can be exploited by the attackers as entry points to break into the IoT networks without early detection. Little work has taken hybrid approaches that combine different defense mechanisms in an optimal way to increase the security of the IoT against sophisticated attacks. In this work, we propose a novel approach to generate the strategic deployment of adaptive deception technology and the patch management solution for the IoT under a budget constraint. We use a graphical security model along with three evaluation metrics to measure the effectiveness and efficiency of the proposed defense mechanisms. We apply the multi-objective genetic algorithm (GA) to compute the Pareto optimal deployments of defense mechanisms to maximize the security and minimize the deployment cost. We present a case study to show the feasibility of the proposed approach and to provide the defenders with various ways to choose optimal deployments of defense mechanisms for the IoT. We compare the GA with the exhaustive search algorithm (ESA) in terms of the runtime complexity and performance accuracy in optimality. Our results show that the GA is much more efficient in computing a good spread of the deployments than the ESA, in proportion to the increase of the IoT devices.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Internet of Things (IoT) is a large-scale network consisting of numerous interacting heterogeneous entities, including machines and/or humans [28, 27, 33]. IoT devices often face severe resource constraints (e.g., sensors, mobile devices) in terms of their energy, computational power, and/or limited bandwidth. Due to the severe resource constraints, conventional, strong security mechanisms, requiring high computational overhead, are not applicable. Sophisticated attackers may easily compromise the IoT devices to penetrate into a target network and launch more severe attacks later on. The sophisticated attackers, often called advanced persistent threat (APT), refer to the attackers that are capable of collecting intelligence about a target, bypass multiple layers of defense mechanisms, and exploit the target’s vulnerability to compromise it. In this paper, we consider two defense mechanisms to increase the security of the IoT networks and investigate how to deploy these defense mechanisms in an optimal manner. Such defense mechanisms may include: (1) deception techniques to divert attackers from real assets; and (2) security patch management solutions to reduce attack surface.

Cyberdeception is used to add an additional layer of defense into conventional security solutions such as intrusion detection systems (or IDSs), firewalls, and/or endpoint anti-virus software. It allows defenders to capture and analyze malicious behaviors by luring the attackers into a decoy system within a network and interacting with attackers. As normal users do not know the existence of the decoy system, defenders will only get alerts caused by the malicious intrusions. A honeypot is one of common deception techniques in order to create a fake asset to protect valuable assets by diverting attackers. However, the management complexity and/or scalability issues of the honeypots hinder more active usage of them by enterprises. Modern deception technology employs the basic honeypot technology with automation techniques, which allows distributed deployment and update of decoy systems to achieve adequate coverage and high cost-effectiveness. In this work, we assume to use the modern deception technology and aim to evaluate the different ways of deploying decoys for providing highly cost-effective defense solutions.

Security patches are used to fix software vulnerabilities to prevent a system from possible exploits with the aim of reducing attack surface. However, the effective patch solution has challenged IoT devices. First, many manufacturers sell the IoT devices with no mechanism in place for automated patch updates. They are only in favor of usability but often neglect security in the design phase [19] in order to gain quick access to the IoT market. This leaves the consumers with unsupported, vulnerable devices after the purchase. Second, some IoT devices (e.g., medical devices) use commercial off-the-shelf (COTS) software for the operating system or runtime environment. Patches for the COTS may not be installed without validating the patches by the manufacturers. To patch the IoT devices, the enterprises need to have agreements with the manufacturers that clarify the obligations for creating and evaluating the patches for the devices and also testing the patches for the COTS running on the devices during the lifecycle support. We will use heterogeneous IoT devices by different manufacturers and assume that the enterprises make agreements with the manufacturers to implement security patch solutions for the IoT products.

In our prior work [14], we proposed a framework for modeling and assessing the security of the IoT. The framework is used to construct a graphical security model and a security evaluator with various security metrics to automate the security analysis of the IoT. Graphical security models (e.g., attack graphs (AGs) [32], attack trees (ATs) [31]) have been widely used in network security assessment. In particular, an AG can depict all possible sequences of attackers’ actions to compromise the target, while an AT explores possible ways an attack goal is attained by combining different types of attacks. However, the complexity of computing a complete AG is increasing exponentially and the construction of the AT is not scalable as well. Hence, we adopt a scalable graphical security model called the multi-layer hierarchical attack representation model (HARM) [17, 14] which combines AGs and ATs to solve the complexity and scalability issues introduced by single-layered security models.

To compute the optimal deployments of defense mechanisms, we use multi-layered HARM to evaluate the effectiveness and efficiency of the proposed deployment of the defense mechanisms and apply the multi-objective genetic algorithm (MOGA) to maximize network security while minimizing deployment cost. To the best of our knowledge, this work is the first that evaluates the combinations of the deception technology and the security patch solution and identifies an optimal setting to deploy these defense mechanisms for the IoT environments. This work has the following key contributions:

  • We developed a hybrid defense mechanism by combining the deception technology and software patch solution for the IoT environments and evaluated the proposed approach based on the graphical security model and security metrics.

  • We identified an optimal setting to deploy the developed defense mechanisms for the IoT under resource constraints. In this work, given the resource budget constraints, we solved an multi-objective optimization (MOO) problem using a genetic algorithm (GA) and compared its performance against the performance of the exhaustive search algorithm (ESA) as a baseline model.

  • The proposed defense mechanism is generic in that it provides various ways of deploying defense mechanisms for the resource constrained IoT environments. Our proposed scheme is highly customizable to optimize multiple objectives to meet given system requirements.

The rest of the paper is organized as follows. Section II presents related work on security optimization solutions and deception technology used for an IoT environment. Section III describes our system model, defense mechanisms, and attack model considered in this work. Section IV addresses our problem formulation and optimization steps to solve a given MOO problem followed by a case study in Section V. Section VI demonstrates our experimental results and discusses their overall trends. Section VII discusses the applicability and limitations of our work and future work directions. Lastly, Section VIII concludes our paper.

Ii Related Work

Security optimization for IoT: Little work has addressed a problem on how to optimally select defense mechanisms for the IoT. Rullo et al. [30] developed a resource allocation mechanism to ensure the security of the IoT based on an a Stackelberg game. Based on the decisions from the attack-defense game, this work derived the best security resource allocation plan to achieve multiple system goals in terms of minimizing maximal risk, maximal criticality, energy consumption, and allocation cost. Rullo et al. [29] also took another approach to develop an optimal security resource allocation for an IoT network with mobile nodes based on GAs. Both works [30, 29] assume that an attacker can proceed a next attack after it can compromise a security resource. However, it is not realistic as highly sophisticated, stealthy attackers can directly compromise other components of a system while not being detected. Further, these works focus on device-level security but do not concern system-level security.

Cyber deception in IoT: La et al. [20] introduced a game theoretic model to analyze the security of honeypot-enabled IoT networks. They assumed that the attacker may deceive the defender with suspicious or seemingly normal traffic and used the honeypot-enabled intrusion detection component which reroutes the suspicious traffic to the honeypots as a defense mechanism. The interaction between the attacker and defender was modeled based on a Bayesian game with incomplete information. Anirudh et al. [9] used honeypots for online servers to mitigate Distributed-Denial-of-Service (DDoS) attacks launched from the IoT devices. Pa et al. [25] developed an IoT honeypot to emulate the IoT devices and capture Telnet-based attacks and designed the IoT sandbox to analyze these attacks against the IoT devices running different CPU architectures. Dowling et al. [13] created a honeypot that simulates a ZigBee gateway and used it to capture attacks for a further analysis.

Based on our literature review, no prior work has evaluated the performance of the modern deception technology on the IoT and proposed the hybrid approach combining different defense mechanisms to enhance the security of the IoT via graphical security models. In this work, we propose a graphical security model to evaluate the effectiveness and efficiency of the defense mechanisms using our devised evaluation metrics and identify optimal deployment solutions based on an MOGA.

Iii Preliminaries

In this section, we describe our system model along with defense mechanisms and attack model considered in this work.

Iii-a System Model

We consider an IoT network consisting of servers, client machines (e.g., computers), and IoT devices [15, 28]. We assume that traditional defense mechanisms are in place on the IoT network, including IDSs, firewalls, and anti-virus software on the servers and client machines. The IoT network has a central patch management system to patch critical security vulnerabilities in the servers and client machines. This work focuses on how to deploy the deception technology in the network and the patch management solution for the IoT devices to defend against sophisticated attacks, as described in Section III-C. The assumptions are made based on the realistic deployment scenario of the IoT network in the smart hospital [4]. We detail the example network scenario in Section V-A.

Iii-B Defense Mechanisms

We use two defense mechanisms, including the deception technology and security patch management solution, and their strategic deployment for adaptive defense based on the combination of those two defense mechanisms for the targeted IoT.

Iii-B1 Deception Technologies

Once attackers are inside an IoT network, they start probing to collect information to identify potential valuable assets and then move laterally in the network to launch attacks based on the information they gathered during the reconnaissance [8]. To successfully lure attackers, the following issues should be discussed: (1) where the decoy systems should be deployed; (2) what types of decoys should be employed; and (3) what level of authenticity of the decoys should be applied. In this section, we discuss these issues and the associated purchase cost associated with each deployment method.

Modern deception technologies integrate honeypot technology, visualization, and automation technologies. There are several emerging vendors (e.g., Illusive Networks, Attivo Networks, TrapX, Cymmetria, TopSpin [26]) which implement the modern deception technologies as well as provide support for IoT networks in various domains (e.g., smart home, smart office, health care).

There are two types of decoys/traps utilized throughout a network: emulation-based and full operating system (OS)-based. Both emulation-based and full OS-based decoys can be autonomously created to fit within the environment with no changes to the existing IT infrastructure. They provide various types of interactive capabilities. Emulated decoys allow defenders to create a variety of fake assets (e.g., IoT devices, endpoints, servers, routers) and to provide a large-scale coverage across the network. Full OS-based decoys allow replication of the actual production devices to increase the possibility of engaging the attacker and to reveal the attacker’s intention. To increase the overall chances attackers access decoys, the combinations of the decoys should closely resemble the real usage of the network devices and guarantee the decoy diversity. In addition, the decoys are suggested to be deployed in every VLAN of the network.

Deception technologies are implemented in different ways by different vendors [1, 2, 3, 7]. The implementation usually consists of an intelligence center and various types of decoys. The intelligence center is used to create, deploy, and update a distributed decoy system, provide automated attack analysis, vulnerability assessment, and forensic reporting, and integrate with other prevention systems (e.g., security incident and event management platform, firewalls) to block attacks. The decoy system includes the decoys deployed across the network. The intelligence center can be purchased as a platform including hardware appliances and/or software. The decoys can be purchased individually with an annual license fee based on the number of servers, client machines, and IoT devices to be protected.

Iii-B2 Patch Management

The IoT network often consists of various types of IoT devices produced by different manufacturers. The enterprises have annual maintenance contracts with these manufacturers for repairing and upgrading services. However, there is no patch management solution for the IoT devices. Therefore, for each type of the IoT devices, the enterprises can make additional annual agreements with the manufacturers for the patch management solutions with a certain amount of investment. In real-world situations, more complex cases may happen. For instance, different IoT devices produced by the same manufacturer can get the patch support in one contract. But some manufacturers cannot provide patches for the IoT devices. However, this work proposes an approach that provides an optimal selection of deployments of defense mechanisms. We leave the other issues mentioned above to be addressed in our future work.

Iii-C Attacker Model

We mainly concern an outside attacker in this work. The attacker aims to obtain private information from an IoT network and sell it for its economic gain. Considering the real-world scenarios where attackers target a smart hospital environment [4], we consider the following attack behaviors:

  • An attacker lacks knowledge on whether a decoy system exists or not. The attacker’s capability to detect the deception depends on the knowledge gap between the attacker and the real system state. A smart attacker is assumed to have a high capability to recognize an emulated decoy but may not be able to detect a full OS-based decoy easily.

  • After the attacker interacted with a decoy, the attacker’s behavior is monitored. If the attacker realized that the device is a decoy, it terminates its activities with the decoy immediately and attempts to find a new target to get into the network.

  • An attacker is capable of identifying exploitable, unpatched vulnerabilities or unknown vulnerabilities and compromising the vulnerable servers and/or client machines [10].

  • An attacker is capable of exploiting unpatched vulnerabilities through hidden malware (e.g., re-packing, polymorphism) and using them to compromise other devices (e.g., installation of the backdoors for persistent attacks) [4].

Iv Optimal Defense Deployment

In this section, we discuss our problem formulation and the steps to optimize the deployment of defense mechanisms.

Iv-a Problem Formulation

We define a deployment vector as the problem input and three metrics to evaluate the optimality and efficiency (or cost) of the deployment and define the following optimization problem.

We use the definitions of an IoT network and the graphical security model in our prior work [14] and describe decoy nodes. The IoT network can be defined as (, , ) where is a finite set of subnets, is a finite set of nodes and is a finite set of vulnerabilities. For each node , we specify one existing attribute and add three attributes: {Web server (Red Hat), Endpoint (Win10), MRI (Win7), Smart TV (Samsung), }) specifies the type of the node; indicates the node is either real or decoy;

refers to the probability that an attacker will interact with the node and use it as a stepping stone to compromise other nodes;

is the deployment cost of the decoy (i.e., if ).

For , if the node is real, the attacker will have the probability of to exploit the vulnerabilities and then use it to compromise other nodes; if the node is a decoy, the attacker may figure out the trap after the interaction with the node and then will terminate its activities with the node; or it is deceived by the decoy and be diverted to other decoy nodes afterwards. Therefore, the full OS-based decoy will have a higher probability to deceive attackers than the emulated decoy as the attacker is more likely to interact with the full OS-based decoy without detecting the deception. It is also assumed that the attacker cannot detect the decoy without interacting with the decoy; this leads to .

Iv-A1 Deployment Vector

We assume the network is divided into several VLANs (i.e., subnets). All decoy nodes deployed across the network have different types. Let denote the set of node types for deception deployment and denote the set of the IoT types for patch management. We define the deployment vector as follows.

Definition 1. The deployment vector is defined as an integer valued vector. The function : describes the integer value for each type of the decoy deployment in the network. The function : describes an integer value of the patch solution for each type of IoT nodes in the network. Let denote the deployment vector for the deception technology and denote the deployment vector for the patch management. We denote the deployment vectors by:

(1)

We assume at least one server decoy should be deployed in the network to engage the attackers. Therefore, for the server decoy, the integer value indicates that a specific type of server decoys is not deployed (), emulated () or full OS-based (). We use emulated decoys for client machines and IoT devices. Hence, the integer value indicates that a specific type of decoys is either deployed () or not (). For the patch management, the integer value shows that a specific type of the IoT devices can be either patched () or not patched ().

Iv-A2 Metrics

We assume that an attacker may have one or more targets in the network for achieving its goal (e.g., stealing data stored in servers). For each target, the attacker may be able to find multiple attack paths to reach the target via one or multiple entry points. An attack path specifies a sequence of nodes that the attacker can compromise to reach the target node. We consider a set of attack paths for the attacker to reach all the targets from all possible entry points. Each attack path is a sequence of nodes along the path. We divide into two sets: representing a set of attack paths with real nodes as targets and indicating a set of attack paths with decoy nodes as targets. As the attacker will terminate its activities with the decoy upon detecting the deception, only contains the real nodes while contains both real nodes and decoy nodes.

We use the following three metrics to evaluate the effectiveness and efficiency of the deployed decoy system:

  • Decoy Nodes Fraction (): This metric refers to the average fraction of decoy nodes among all nodes along the attack path towards a decoy target, representing the average decoy percentage along the attack path. Let denote a set of decoy nodes along an attack path. is measured by:

    (2)

    where higher is more desirable.

  • Node Interaction Probability (): This metric indicates the average probability that an attacker will interact with nodes along a given attack path and eventually reach a decoy target. This metric reflects the average probability that the attacker is diverted to the decoy target along the attack path.

    is estimated by:

    (3)

    where higher is regarded as better performance.

  • Fraction of Residual Cost (): This metric represents how much cost remains after subtracting one deployment related cost from the total cost. Here the total cost indicates the cost incurred for deploying all potential defense mechanisms. To estimate this cost, we assume that the manufacturer charges the patch management solution for the same type of IoT devices at a fixed price. We also assume that all decoys are sufficiently different showing high diversity, not to be easily detected by attackers. In order to obtain , we consider three cost related to defense mechanism deployments as follows:

    1. Intelligence Cost (): This cost incurs when purchasing the intelligence center as a platform and is considered as a constant cost in this work.

    2. Total Patch Management Cost (): This cost includes the total patch management cost for IoT devices and is obtained by:

      (4)

      where denotes the patch solution cost for one type of the IoT devices.

    3. Decoy Deployment Cost (): This cost considers the deployment cost of all decoys and is given by:

      (5)

    Based on these three costs above (i.e., , , and ), is computed by:

    (6)

    where is calculated by summing the associated costs for all potential defense mechanisms. Higher indicates lower actual deployment cost, which is more desirable.

Iv-A3 Problem Statement

The problem we aim to solve is an MOO problem where the above three metrics (i.e., , , ) should be maximized.

Given that each deployment of the defense mechanisms entails purchase and maintenance cost, the optimization problem is to compute a set of Pareto optimal solutions (or Pareto frontier) [24] that provide a reasonable balance between the effectiveness and efficiency of the deployments of the defense mechanisms. Let denote all possible deployments of the defense mechanisms for a given IoT network and {, , } denote all possible values of the evaluation metrics for the given . We define the Pareto optimal solutions (or Pareto frontier) in our optimization problem as follows.

Definition 2. The Pareto frontier for the three-objective optimization problem is {(, , ) } (, , ) such that , and where * indicates an optimal solution for the objectives and each (, , ) is a strongly nondominated solution.

Iv-B Optimization Steps

Fig. 1: Optimization steps in the proposed framework.

We enhance our prior framework [14] by introducing the deployment generator, the deployment evaluator and the optimization module. Fig. 1 describes the enhanced, new framework with the following five phases: data input, deployment generation, security model generation, deployment evaluation, and deployment optimization.

In Phase 1, the security decision maker provides the IoT Generator with the system information (i.e., network topology and node vulnerability information) to construct an IoT network. Given the network and all potential deployments of the defense mechanisms represented in the integer formats, the Deployment Generator randomly generates a set of different deployments in Phase 2. Each deployment of the defense mechanisms is fed into the network and also passed onto the Optimization Module. In Phase 3, the Security Model Generator takes the reconstructed network as input and automatically generates the HARM which captures all possible attack paths. We use the three-layered HARM [16] as our graphical security model. In the three-layered HARM, the upper layer captures the subnet reachability information, the middle layer represents the node connectivity information (i.e., nodes connected in the topological structure) and the lower layer denotes the vulnerability information of each node. In Phase 4, the Deployment Evaluator takes the HARM as input along with the evaluation metrics and computes the results which are then fed into the Optimization Module. In Phase 5, based on the initial set of deployments and the associated evaluation results, the Optimization Module applies the multi-objective genetic algorithm to compute the optimal deployments of the defense mechanisms for the IoT network based on the termination conditions (e.g., the maximum number of generations defined by the security decision maker).

We chose the GA to solve the given MOO problem due to the following reasons. First, GA provides a simple way to encode the candidate solutions. As we use the integer values to represent the deployment of defense mechanisms, binary encoding can be easily applied to convert the integer values into binary values for our defense mechanisms. Second, due to the rapidly growing IoT network, the scalability of an algorithm becomes a critical issue. However, GA requires little information to search effectively in a large search space which satisfies the requirement of an IoT network with a large number of nodes. To be specific, we choose one of the widely used GAs named nondominated sorting GA II (NSGA-II) in [12] as the optimization algorithm. NSGA-II is defined as a fast sorting and elite MOGA and is able to find better spread of the solutions.

V Case Study

For our case study, we use an example scenario based on a smart hospital IoT environment. As a hospital system often keeps highly valuable information, attackers can have high economic gain by obtaining the private data. We will introduce the example network and explain each step to solve the given MOO problem based on our proposed approach. To deliver a more concrete idea, we are using this scenario to validate our proposed approach; however, our work is generic in nature and is applicable to general IoT environments.

V-a Example Network

We consider the Picture Archive and Communication System (PACS) in a smart hospital IoT. The system consists of PACS servers for the storage of image information from multiple source machine types, PACS client machines to access the images and Internet of Medical Things (IoMT) using radiology techniques [4, 5] to send images to the servers. PACS uses the digital imaging and communications in medical (DICOM) standard as the communication protocol between the IoMT devices and the PACS servers. Fig. 2 depicts the example PACS network.

Fig. 2: An example PACS network.

The PACS network is divided into three VLANs by the external and internal firewalls. The PACS servers use active-active high availability cluster configuration to ensure reliable data storage and access. The redundant servers are identical in terms of both hardware and software. The PACS clients are computers with the DICOM viewers. The IoMT devices include Ultrasound machine, MRI machine, digital X-Ray machine, and CT scanner. As these IoMT devices are closed systems, additional security software cannot be easily integrated into the devices. Besides, patches for the COTS running on the IoMT devices need to be verified and tested by the manufacturers due to the safety issue.

We make assumptions for the operating systems (OSs) and applications running on the devices: each PACS server runs a Linux OS and is installed with the PACS software and database (e.g., MySQL); PACS client machines run two types of OSs, including Windows 8 and Windows 10; IoMT devices run Windows 7. All the chosen OSs and applications are commonly used in the PACS.

We use the attacker model described in Section III-C. The attacker is able to wrap highly capable attack tools into obsolete malware (e.g., MS08-067), use it to exploit the vulnerabilities in the un-patched IoMT devices and become un-detected by the anti-virus software running on other devices [4, 5]. For the servers and client machines, the known but un-patched vulnerabilities can be collected from the National Vulnerability Database (NVD). We assume that the attacker is able to exploit the client machines and IoMT devices as entry points, then move laterally in different VLANs of the network, and eventually reach the servers for stealing private data.

The intelligence center is purchased as a platform and decoys are purchased individually with an annual license fee. The IoMT devices are purchased from different manufacturers. The hospital has the maintenance support from the manufacturers for the cleaning, repair and upgrade services but without the coverage of security updates. Thus, the hospital needs to make additional contracts with the manufacturers separately for the patch management support. We investigate the prices of the deception products [34, 35] and service fees for the IoMT devices [6, 21, 22, 23]. We consider that the additional patch management fee is 10% of the average full service fee. The estimated prices for the defense mechanisms are shown in Table I.

Product Price (USD)
Deception Deployment
Intelligence Center 20,000
PACS Server Full OS (Linux) 1,500
Emulation (Linux) 400
PACS Client Windows 8 300
(Emulation) Windows 10 300
Ultrasound 200
IoMT Device MRI 200
(Emulation) X-Ray 200
CT Scanner 200
Patch Solution
Ultrasound 2,000
IoMT MRI 6,000
Device X-Ray 1,000
CT Scanner 5,000
TABLE I: Estimated prices for defense mechanisms.

V-B Computation of the Optimal Deployments

We consider a small-scale PACS network, including 2 PACS servers, 10 PACS client machines (5 running Windows 8 and 5 running Windows 10) and 4 different IoMT devices. The network is divided into three VLANs: servers in VLAN1, client machines in VLAN2 and IoMT devices in VLAN3.

We assume each device has one known but un-patched vulnerability that can be exploited by the attacker to gain the root permission. Therefore, if the un-patched Windows 7 in the IoMT device is patched, there is no other exploitable vulnerability. We also assume each decoy has one vulnerability to lure the attacker. More vulnerabilities can be used based on the real configuration of the decoys. Besides, for an emulated decoy, the attacker interacts with the decoy with the probability of 0.5, can exploit the vulnerability and then use it to compromise other devices; for a full OS-based decoy, this probability is 0.9. We assume that the probability values are obtainable based on a measurement of the real configuration of the decoys (e.g., semi-quantitative and semi-qualitative).

Based on the concepts of GA [24], a population represents a group of potential deployments of the defense mechanisms; a chromosome corresponds to a deployment vector; a generation is one time of algorithm iteration; fitness values are determined by the evaluation metrics (i.e., fitness functions). We use the following algorithm parameters: population size , maximum number of generations , crossover rate , and mutation rate .

We first generate the PACS network via the IoT Generator. The network is represented as where

We show a list of attributes for as an example:

Given the network, we have the potential deployments of the defense mechanisms based on the types of devices: = {PACS server (Linux), PACS client (Win8), PACS client (Win10), Ultrasound (Win7), MRI (Win7), XRay (Win7), CT (Win7)} and = {Ultrasound (Win7), MRI (Win7), XRay (Win7), CT (Win7)}.

Given the potential deployments, we randomly generate a population of 100 deployments . We show one example of the deployment vector, = = = = .

Afterwards, the PACS network is reconstructed with the defense mechanisms. For example, using , three decoy nodes are added into the network (, and ) and three IoMT devices are patched (, and ). The reconstructed network is fed into the Security Model Generator to construct the HARM and to capture the potential attack paths. We show the HARM for the network with the deployment vector in Fig. 3.

Fig. 3: HARM for the network with .

From Fig. 3, the attacker is able to take the client machines in VLAN2 and IoMT devices in VLAN3 as entry points and then move laterally in the network to eventually reach the servers. As decoys are also deployed in the network, the attacker may be lured into the decoys. Once the attacker interacts with the decoy, it either detects the decoy and terminates its attack behavior, or is diverted to another decoy. Then the HARM with the attack path information is taken as input into the Security Evaluator to evaluate the deployment of the defense mechanisms. We omit the calculation steps and results of the evaluation metrics for the network with due to the page constraint.

The Optimization Module takes the initial population of deployments () and the corresponding fitness values () as inputs and then computes the optimal deployments via the MOGA. We show the final population of the fitness values in Fig. 6 which forms the Pareto frontier ().

Fig. 4: Final deployments.
Fig. 5: Deployments with budget constraint.
Fig. 6: Complexity: GA vs. ESA.

There are four labeled points in Fig. 6 which represent the deployments with one maximum fitness value respectively. We show the deployment vector for each point as follows: = (2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1), = (1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1), = (2, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1) and = (1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0).

Points and have the maximum decoy node fraction. In these two deployments, all decoys are deployed and all IoMT devices are patched. The only difference is that point represents the deployment with the full OS-based server decoy and point represents the one with the emulated server decoy. Point has the maximum node interaction probability and represents the deployment with the full OS-based server decoy deployed and all the IoMT devices patched. Point has the maximum residual cost fraction and represents the deployment with one emulated server decoy deployed. These deployments will be used to test the algorithm accuracy in Section VI.

V-C Analysis and Comparison of the Defense Mechanisms

In this section, we analyze the optimal deployments of the defense mechanisms and compare the optimal deployments with the deployments of the individual defense mechanisms. We introduce several metrics which are used in the following analysis: the percentage of decoys among all real devices (), the percentage of patched devices among all real devices (), the number of attack paths towards the real targets ( calculated by ), the number of attack paths towards the decoy targets ( calculated by ) and the deployment cost of the defense mechanisms ().

V-C1 Analysis of the Optimal Deployments

We assume the hospital has a budget for the security investment and uses the budget and total cost to calculate the minimum residual cost fraction. Here, we use a budget of (in USD) and calculate the minimum which is approximately 0.322. We show the deployments meeting the budget constraint in Fig. 6 (i.e., the points that are above 0.322 in Fig. 6).

To balance the effect of the two evaluation metrics in Fig. 6, we use a common scalarization method [11], which is a weighted sum to consider both metrics, and , where each metric is weighted with and , respectively. This leads to a single, weighted metric, (). We use the weight of ranged from 0 to 1 (with the increment of 0.1) and show the points with the maximum weighted metric in Fig. 6. We summarize the corresponding deployment vector and the weight values of for each point in the following: with ; = with = 0, 0.1; = with = 0.2, 0.3, 04; = with = 0.5; = with = 0.6, 0.7, 0.8, 0.9.

Point represents the deployment with the maximum decoy node fraction. Other points represent the deployments with one or multiple maximum weight metric values. We calculate the decoy percentage and patch percentage for each point to indicate the coverage of the defense mechanisms. We show the values of two evaluation metrics ( and ) and the percentages of each point in Table II in the order of increasing .

Point
0.388 0.892 12.5% 0.0%
0.414 0.886 12.5% 12.5%
0.431 0.874 18.8% 12.5%
0.482 0.802 43.8% 6.3%
0.483 0.450 31.3% 12.5%
TABLE II: Comparisons among the optimal deployments.

From point to point in Table II, , and increase while decreases with the increasing value of , which indicates the higher percentages of the decoys and the patched IoMT devices, and the higher decoy authenticity (deployment of the full OS-based server decoy) when the importance of increases. Point has the maximum , relatively high values of and and a low value of , which demonstrates the maximum percentage of the decoys, high decoy authenticity but a low percentage of the patched IoMT devices. Point has the maximum and , a low value of and a relatively high value of , which demonstrates the high percentages of the decoys and the patched IoMT devices but a low decoy authenticity (deployment of all emulated decoys).

Among the points , , and , we can see that there is a balance between the decoy percentage and decoy authenticity. Point has a good percentage of the decoys (more decoys to trap the attackers) but low authenticity of the decoys (lower probability to interact with the attackers once they are diverted to the server decoy) while the other three points have the opposite effect. Point achieves a good percentage of the decoy and high authenticity of the decoys but has a low percentage of the patched IoMT devices. Besides, points , and have a good patch percentage. In order to facilitate the decision making on the optimal deployment of the defense mechanisms by the defenders, we summarize the analysis results in the following way: (2) choose the deployment using to achieve high decoy coverage and decoy authenticity; (2) choose the deployment using to achieve high decoy coverage and patch coverage; and (3) choose the deployment using to achieve high decoy authenticity and patch coverage.

V-C2 Comparison of the Defense Mechanisms

We compare the three optimal deployments of the two defense mechanisms with the deployments of only deception or only patch solution in Table III using , , , and . Additionally, we patch all the IoMT devices by using only patch solution and deploy the full OS-based server decoy and all the other potential decoys by using only deception mechanism.

[width=0.9in]DefenseMetric
No defense 0.0% 0.0% 108 0 0
Only patch 0.0% 25.0% 20 0 14000
Only deception 43.8% 0.0% 108 68 22900
Both with 31.3% 12.5% 64 40 24400
Both with 18.8% 12.5% 64 34 24900
Both with 43.8% 6.3% 86 55 23900
TABLE III: Comparisons among the deployments.

From Table III, compared with no defense, different combinations of the defense mechanisms increase the security of the IoT network at different aspects. The deployment of patch solution has the highest patch percentage and lowest number of real attack paths. However, once the attacker breaks into the network, the real devices are the only targets and the behavior of sophisticated attackers may not be detected. The deployment of deception has the highest decoy percentage and highest number of fake attack paths but remains the highest number of real attack paths. The deployments of both patch and deception decrease the number of real attack paths significantly and introduce the fake attack paths to divert the attacks from the real assets. Therefore, the combinations of the two defense mechanisms are more effective to increase the security of the IoT networks with a reasonable cost.

Defenders could use our approach to compute the set of optimal deployments of the combined defense mechanisms and choose the most suitable deployment based on the budget constraint and analysis metrics.

Vi Simulations

We compare the GA with the exhaustive search algorithm (ESA) in terms of time efficiency and accuracy of the results. Here the accuracy refers to the ratio between the number of deployments with the maximum fitness value of one fitness function in the final population using the GA and that in Pareto frontier using the ESA. All simulations are performed using the computer equipped with a 3.4 GHz CPU under Linux Mint 18.1 Serena and Eclipse Neon.1 with Python 2.7.

We consider the IoT networks with the similar structure of the example network used in the case study along with the attacker model in Section III-C. We use the network with a fixed number of servers and client machines and an increasing number of the IoT devices with different types to investigate the impact of the growing IoT devices on the proposed approach. Specifically, we use 2 servers, 50 client machines with two types of OSs. The number of IoT devices ranges from 50 to 200 with an increment of 25 in each simulation. Servers, client machines and different types of the IoT devices are deployed in different VLANs. We assume every 25 IoT devices have the same type and belong to the same manufacturer. Each manufacturer makes agreement with the enterprise to implement the patch solutions for the IoT devices at a different price (ranging from 1000 to 4000 with a difference of 500 for each agreement). Prices for the deception products are same as the prices shown in Table I. We use the following algorithm parameters for the simulations: population size = 100, maximum number of generations = 100, crossover rate = 0.8 and mutation rate = 0.2.

We show the time comparison of two algorithms in Fig. 6. We use the number of nodes with different types (in the form of server-client machine-IoT) along with the number of bits used for the binary encodings of the deployments as labels. Initially, when the scale of the network is small, the ESA runs faster than the GA. However, with the increasing number of the encoding bits, the time of the ESA increases exponentially while the time of the GA increases linearly.

We show the accuracy ratios of the GA compared with the ESA in Table IV. When the number of the encoding bits ranges from 8 to 14, the accuracy ratio is 1.0 as the set of the deployments with one maximum fitness value calculated by the GA is equal to the set of deployments with one maximum value calculated by the ESA. The ratio decreases when the number of the encoding bits is equal to or larger than 16. We increase the population size and the maximum generation of GA and run the simulations with the same networks. For the network with 2 servers, 50 client machines and 150 IoT devices, we keep the current population size while increase the maximum generation to 150; for the network with 175 IoT devices, we increase the population size and the maximum generation to 150; for the network with 200 IoT devices, we increase the population size to 150 and the maximum generation to 200. We obtain the ratios of 1.0 for all these networks with a slightly higher runtime.

Network Population Maximum Runtime Accuracy
size generation (minute) ratio
2-50-50 (8) 100 100 4 1.0
2-50-75 (10) 100 100 7 1.0
2-50-100 (12) 100 100 9 1.0
2-50-125 (14) 100 100 12 1.0
2-50-150 (16) 100 100 16 0.75
100 150 22 1.0
2-50-175 (18) 100 100 20 0.75
150 150 40 1.0
2-50-200 (20) 100 100 22 0.5
150 200 67 1.0
TABLE IV: Accuracy ratios of GA.

In conclusion, the GA is much more efficient than the ESA when the size of the IoT network increases and is able to obtain a good spread of the optimal deployments within a reasonable time.

Vii Discussions

The proposed approach can be applied to any IoT networks with the potential deployments of these two defense mechanisms. However, by designing new evaluation metrics and integrating them with the graphical security model, our approach can be used to investigate any combinations of the defense mechanisms. In our future work, we could use more case studies to analyze the effect of the defense mechanisms and apply game theoretic approach to model the interaction between the defender who tries to deploy optimal defenses and attacker who tries to strategically evade the defenses [18]. Besides, several limitations can be resolved to extend the scope of the work.

  • Deployment cost: We will consider the long-term effect of the annual fees on the deployment costs of both the deception and security patch mechanisms.

  • Deception: The attacker may not choose the particular decoy IoT device among all IoT devices. We will investigate the effectiveness and efficiency of the deployments with the various numbers of decoys for each IoT type.

  • Optimization algorithms:

    We will validate whether optimal solutions are identified using GA via simulations and evaluate and compare other heuristic algorithms to find the most efficient algorithm for our optimization problem.

  • Validation: We introduced a case study to demonstrate the feasibility of our proposed approach and carried out simulations to evaluate the efficiency of the optimization algorithm. We will perform the experiment on a small-scale IoT network to verify the approach.

Viii Conclusions

In this paper, we have provided a novel approach to compute the optimal deployments of defense mechanisms for IoT environments. We have introduced two defense mechanisms, including the modern deception technology and patch management solution for IoT devices. We have defined three metrics to measure the effectiveness and efficiency of the deployments of defense mechanisms and formalized a multi-objective optimization (MOO) problem to maximize three devised metrics as system goals. We have leveraged the genetic algorithm to solve the MOO problem and integrated it with the graphical security model along with the deployment evaluator in the framework to carry out the computation of optimal deployments of defense mechanisms. We have validated the performance of the proposed approach based on a case study with a smart hospital IoT scenario. Through the extensive simulation experiments, we have validated the performance of the proposed framework and deployment method by conducting a comparative analysis between the genetic algorithm and the exhaustive search algorithm in terms of runtime complexity and optimality (or accuracy). Our simulation results have shown that the GA generates high quality solutions with low complexity, by showing a good spread of the deployments of defense mechanisms.

References

  • Att [2016] “Know What is Lurking in Your Network,” Attivo, Tech. Rep., 2016.
  • Ovu [2017a] “On the Radar: Attivo Networks offers deception, vulnerability assessment, and response automation,” Ovum, Tech. Rep., 2017.
  • Ovu [2017b] “On the Radar: TopSpin adds IoT security capabilities to DECOYnet,” Ovum, Tech. Rep., 2017.
  • Tra [2017] “ANATOMY OF AN ATTACK MEDJACK (Medical Device Hijack),” TrapX Research Labs, Tech. Rep., 2017.
  • Tra [2017] “ANATOMY OF AN ATTACK MEDJACK.2 Hospitals Under Siege,” TrapX Research Labs, Tech. Rep., 2017.
  • Ult [2017] (2017) How Much Does an Ultrasound Machine Cost? [Online]. Available: http://www.costowl.com/healthcare/healthcare-ultrasound-machine-costs.html
  • tra [2017b] “Product Brief - DeceptionGrid 6.0,” TrapX Research Labs, Tech. Rep., 2017.
  • tra [2017a] “Retail Point-of-Sale Under Fire,” TrapX Research Labs, Tech. Rep., 2017.
  • Anirudh et al. [2017] M. Anirudh, S. A. Thileeban, and D. J. Nallathambi, “Use of honeypots for mitigating DoS attacks targeted on IoT networks,” in Proceedings of the 2017 International Conference on Computer, Communication and Signal Processing (ICCCSP ’17).    IEEE, 2017, pp. 1–4.
  • Borbor et al. [2017] D. Borbor, L. Wang, S. Jajodia, and A. Singhal, Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Heterogeneous Hardening Options.    Springer International Publishing, 2017, pp. 509–528.
  • Cho et al. [2017] J. H. Cho, Y. Wang, I. R. Chen, K. S. Chan, and A. Swami, “A survey on modeling and optimizing multi-objective systems,” IEEE Communications Surveys Tutorials, vol. 19, no. 3, pp. 1867–1901, Third Quarter 2017.
  • Deb et al. [2002] K. Deb, A. Pratap, S. Agarwal, and T. Meyarivan, “A Fast and Elitist Multiobjective Genetic Algorithm: NSGA-II,”

    IEEE Transactions on Evolutionary Computation

    , vol. 6, no. 2, pp. 182–197, 2002.
  • Dowling et al. [2017] S. Dowling, M. Schukat, and H. Melvin, “A ZigBee Honeypot to assess IoT Cyberattack Behaviour,” in Proceedings of the 2017 28th Irish Signals and Systems Conference (ISSC ’17).    IEEE, 2017, pp. 1–6.
  • Ge et al. [2017] M. Ge, J. B. Hong, W. Guttmann, and D. S. Kim, “A framework for automating security analysis of the internet of things,” Journal of Network and Computer Applications, vol. 83, pp. 12–27, 2017.
  • Gubbi et al. [2013] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things (IoT): A Vision, Architectural Elements, and Future Directions,” Future Generation Computer Systems, vol. 29, no. 7, pp. 1645–1660, 2013.
  • Hong and Kim [2015] J. B. Hong and D. S. Kim, “Assessing the Effectiveness of Moving Target Defenses using Security Models,” IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 2, pp. 163–177, 2015.
  • Hong and Kim [2016] ——, “Towards Scalable Security Analysis using Multi-Layered Security Models,” Journal of Network and Computer Applications, vol. 75, pp. 156–168, 2016.
  • Kamdem et al. [2017] G. Kamdem, C. Kamhoua, Y. Lu, S. Shetty, and L. Njilla, “A Markov Game Theoritic Approach for Power Grid Security,” in Proceedings of 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW ’17).    IEEE, 2017, pp. 139–144.
  • Kolias et al. [2017] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and Other Botnets,” IEEE Computer, vol. 50, no. 7, pp. 80–84, 2017.
  • La et al. [2016] Q. D. La, T. Q. S. Quek, J. Lee, S. Jin, and H. Zhu, “Deceptive Attack and Defense Game in Honeypot-Enabled Networks for the Internet of Things,” IEEE Internet of Things Journal, vol. 3, no. 6, pp. 1025–1035, 2016.
  • Loomis [2017] S. Loomis. (2017) CT Scanner Service Cost Price Info. [Online]. Available: https://info.blockimaging.com/bid/95421/ct-scanner-service-cost-price-info
  • Loomis [2016a] ——. (2016) MRI Service Cost Price Info. [Online]. Available: https://info.blockimaging.com/mri-service-cost-price-info
  • Loomis [2016b] ——. (2016) X-Ray Equipment Service Cost Price Info. [Online]. Available: https://info.blockimaging.com/x-ray-equipment-service-cost-price-info
  • Marler and Arora [2004] R. T. Marler and J. S. Arora, “Survey of multi-objective optimization methods for engineering,” Structural and Multidisciplinary Optimization, vol. 26, no. 6, pp. 369–395, 2004.
  • Pa et al. [2015] Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “IoTPOT: Analysing the Rise of IoT Compromises,” in Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT ’15).    USENIX Association, 2015.
  • Pingree [2016] L. Pingree. (2016) Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities. [Online]. Available: https://www.gartner.com/doc/reprints?id=1-2LSQOX3&ct=150824&st=sb&aliId=87768
  • Roman et al. [2011] R. Roman, P. Najera, and J. Lopez, “Securing the Internet of Things,” Computer, vol. 44, no. 9, pp. 51–58, Sep. 2011.
  • Roman et al. [2013] R. Roman, J. Zhou, and J. Lopez, “On the features and challenges of security and privacy in distributed internet of things,” Computer Networks, vol. 57, no. 10, pp. 2266–2279, 2013.
  • Rullo et al. [2017b] A. Rullo, E. Serra, E. Bertino, and J. Lobo, “Shortfall-Based Optimal Security Provisioning for Internet of Things,” in Proceedings of 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS ’17).    IEEE, 2017, pp. 2585–2586.
  • Rullo et al. [2017a] A. Rullo, D. Midi, E. Serra, and E. Bertino, “Pareto Optimal Security Resource Allocation for Internet of Things,” ACM Transactions on Privacy & Security, vol. 20, no. 4, pp. 15:1–15:30, Oct. 2017.
  • Saini et al. [2008] V. Saini, Q. Duan, and V. Paruchuri, “Threat Modeling using Attack Trees,” Journal of Computer Science in Colleges, vol. 23, no. 4, pp. 124–131, 2008.
  • Sheyner et al. [2002] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated Generation and Analysis of Attack Graphs,” in Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP ’02).    IEEE Computer Society, 2002, pp. 273–284.
  • Sicari et al. [2015] S. Sicari, A. Rizzardi, L. Grieco, and A. Coen-Porisini, “Security, privacy and trust in Internet of Things: The road ahead,” Computer Networks, vol. 76, pp. 146–164, 2015.
  • Stephenson [2016] P. Stephenson. (2016) Attivo BOTsink Deception Platform. [Online]. Available: https://www.scmagazine.com/attivo-botsink-deception-platform/review/7062/
  • Stephenson [2017] ——. (2017) TrapX Security’s DeceptionGrid. [Online]. Available: https://www.scmagazine.com/trapx-securitys-deceptiongrid/article/681820/