Détection d’Intrusion et Sécurité Réactive pour l’IoT

01/12/2017
OAI : oai:www.see.asso.fr:20892:20898
DOI :
contenu protégé  Document accessible sous conditions - vous devez vous connecter ou vous enregistrer pour accéder à ou acquérir ce document.
- Accès libre pour les ayants-droit
 

Résumé

Détection d’Intrusion et Sécurité Réactive pour l’IoT

Métriques

15
0
1.65 Mo
 application/pdf
bitcache://cefd8057761aef5d006b23ccd31c9e5c30d91f0d

Licence

Creative Commons Aucune (Tous droits réservés)

Sponsors

Sponsors

<resource  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns="http://datacite.org/schema/kernel-4"
                xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4/metadata.xsd">
        <identifier identifierType="DOI">10.23723/20892/20898</identifier><creators><creator><creatorName>Alexis Olivereau</creatorName></creator></creators><titles>
            <title>Détection d’Intrusion et Sécurité Réactive pour l’IoT</title></titles>
        <publisher>SEE</publisher>
        <publicationYear>2017</publicationYear>
        <resourceType resourceTypeGeneral="Text">Text</resourceType><dates>
	    <date dateType="Created">Mon 4 Dec 2017</date>
	    <date dateType="Updated">Mon 4 Dec 2017</date>
            <date dateType="Submitted">Fri 20 Apr 2018</date>
	</dates>
        <alternateIdentifiers>
	    <alternateIdentifier alternateIdentifierType="bitstream">cefd8057761aef5d006b23ccd31c9e5c30d91f0d</alternateIdentifier>
	</alternateIdentifiers>
        <formats>
	    <format>application/pdf</format>
	</formats>
	<version>35298</version>
        <descriptions>
            <description descriptionType="Abstract"></description>
        </descriptions>
    </resource>
.

CYBERSÉCURITÉ DE L’INTERNET DES OBJETS | 2 PERCEPTION BUSINESS DE LA SÉCURITÉ IOT Source: Gemalto (2015) | 3 Détection d’Intrusion et Sécurité Réactive pour l’IoT Alexis Olivereau | 4 • Prevention & Reaction: complementary approaches • Preventive (perimeter, often cryptographic) security counters external attacks • Reactive security detects an attacker from the malicious actions it undertakes • Intrusion Detection Systems (IDSs) are key reactive security components that allow to: • Monitor system behavior in real-time • Detect perimeter breach, insider attacker… and • Set up countermeasures, from basic alerts to advanced auto-reconfigurations INTRODUCTION: REACTIVE SECURITY VS. PREVENTIVE SECURITY IDS        External attacker that is not filtered out by preventive security countermeasures External attackers that are filtered out by preventive security countermeasures Internal attacker | 5 1. CHALLENGES A. IoT environment characteristics  Need for Preventive and Reactive Security B. IoT platform specificities  Diminish the efficiency of Preventive Security solutions C. IoT platform specificities  Make the adoption of Reactive Security solutions more complex D. IoT Reactive Security: Existing Art 2. ARCHITECTURES A. Probes B. Detection methods C. Reactions systems QUICK OUTLINE CHALLENGES | 7 • IoT Scenarios • Interactions with physical world entities, without active human user involvement • Impact the behavior of other functional systems • Good chances of remaining unnoticed • On-field deployment • Location outside of physical security perimeter • Incentive • Corporate systems  disruption or destruction of subsystems, weakest entry point for entering communication infrastructure • Individuals  theft of private data, hack of physical objects, physical intrusions • IoT networks and devices • Massive deployment of devices • Identical devices  Identical, potentially flawed, security measures • Emergence of unplanned group behavior • Mesh networking • Node-to-node attacks that will not cross a security gateway • Diversification of manufacturers • Limited knowledge of security analyses and/or primitives and/or protocols • Put in the market first, secure afterwards (if at all) • Devices likely to outlive their manufacturing company • Security patching system • Complex, lengthy, interrupting the service • Proven to be rarely found affordable by users IOT AND THE NEED FOR SECURITY | 8 • Limited computational power + Limited battery • Complex cryptographic protocols may not be supported • Limited memory space • Alter the proper operation of cryptographic algorithms • Make the implementation of stateful systems more problematic • No hypervised execution environment • Can lead to the adoption of bad security designs • Static secrets • Short secrets • Long-term shared secrets • Still, preventive security has (obviously) to be enabled! PREVENTION SYSTEMS SHORTCOMINGS 16 kB RAM 128 kB flash | 9 • Limited computing power • Limited analyses, esp. limited behavioral (mathematical) analyses • Limited battery • Most nodes cannot continuously monitor their surroundings • Limited memory • Limited storage for attack signatures • Limited signature identification capabilities • Not that adopted technologies • Requirements for specific antennas, chipsets, kernel modules • HIDS? • No GUI, complex remote access mean that it is difficult to identify an ongoing attack on the host • Not a single line of code for post-mortem analysis • Reaction? • Most dynamic attack deterrence mechanisms would not be supported by an IoT network • State of the Art • Literature addressed for long the needs of WSNs, MANETs • Specific IDS for IoT are appearing • « WSN ++ » : routing + rules and signatures for specific IoT protocols • Compare OS / device with cybersecurity flaws databases IOT IDS? Time Sender Port 23000981 3ffe:0:0:1::1 25 23000997 3ffe:0:0:1::1 80 23001006 3ffe:0:0:1::1 443 23001018 3ffe:0:0:1::1 22 … … … | 10 SYNTHESIS: RATIONALE FOR NETWORK INTRUSION DETECTION Phase Detect Deny Disrupt Degrade Deceive Destroy Recon Traffic analytics Firewall ACL Weaponize NIDS NIPS Deliver Vigilant user Proxy filter In-line AV Queuing Exploit HIDS Automatized code audit Patch Data Execution Prevention Install HIDS Chroot Jail AV Command & Control NIDS Firewall ACL NIPS Tarpit DNS redirect Actions on Objectives Audit log Quality of Service Honeypot Source : Hutchins, et al. 2011 and Shostak, Threat Modeling ARCHITECTURES | 12 • Distributed Network IDS • Multiple probes, coordinated detection results • Better detection efficiency • Visualization • Support for dynamic cartography • Approach #1: deploy the probes as a logical functions within physical entities part of the monitored IoT network • Pros • Access to IoT node internal status, if powerful enough (HIDS) • IPS, if powerful enough • Access to clear text data • Cons • Monitoring may drain battery, even if turnover • Likely no support for probe security enforcement • Approach #2: deploy the IDS probes as dedicated physical entities that are external to the monitored IoT network • Pros • Always-on (sector-powered) probes • Cons • Requires a dedicated supervision network PROBES: WHERE / WHAT SIEM Monitored Network SIEM Detection Probe Detection Probe Detection Probe MonitoringNetwork MonitoredNetwork Approach #1 Approach #2 | 13 • Signature-based detection • Compare network traffic with signatures of known attacks • Protocols/ports, inner content (DPI), communication patterns… • Pros • Excellent detection of known attacks • Cons • (Almost) no detection of unknown attacks • Require an up-to-date signature database • Behavioral analysis detection • Compare network traffic to (a) model(s) of benevolent traffic(s) • Pros • Can detect unknown attacks • Cons • Precision • False Positive Rate • Require learning on a “good” normal traffic… • Actually normal • Yet diverse • … ideally complemented with attack examples • Resource consumption PROBES: HOW (= DETECTION METHOD) Sign #1 Sign #2.1 Sign #3 Sign #n Sign #2.2 Sign #2.3 ATTACK FINE | 14 • Passive reaction systems: notify the network administrator without reconfiguring the network • Pros • Attacker cannot exploit the IDS to indirectly achieve goals • Cons • Delay in countermeasure setup • Could lead to the tendency to report everything  useless • Active reaction systems: reconfigure the network (and likely notify the network administrator) • Pros • Immediate action • Cons • Break the separation between monitoring network and monitored network • Attacker may exploit the IDS to indirectly achieve goals REACTION SYSTEMS ! | 15 ACTIVE REACTIVE SECURITY COMPONENTS ON OODA LOOP  Observe  Orient  Decide  Act Detection System: • Monitor communication link • Correlate unitary events • Categorize events (malicious / benevolent +/- intermediary classes) Global Security Strategies Security-related reactions • Reconfiguration of security subsystems (access control, required authentication credentials, key strength and lifetime…) Other reactions • Reconfigure routing, addressing scheme, QoS… AI AI Local Global NWK NWK | 16 • Radio & Protocols • Specific radio probes (e.g. 802.15.4 with the support to monitor the neighborhood) • Distributed implementation fitting hardware shortcomings • Nodes have various capabilities • Mostly sleeping / always on • Battery-powered / energy harvesting / power plugged • Memory size  limited number of detectable attacks • Limited processing capabilities INTRUSION DETECTION FOR IOT: APPROACH#1 PROBES | 17 • Signature-based, behavioral, model- based? • Artificial Intelligence: chose the primitive • Random forest, deep neural network… ? • Adapt to the traffic type (e.g. IoT is sometimes deterministic… use it!) • Local, global or hybrid? • Run a neural network on the probe? • Resource-expensive • Real-time • Run a neural network on a remote server? • Bandwidth consuming • And/or non-real time • Both? INTRUSION DETECTION FOR IOT: APPROACH #2 & DETECTION IDS Probe AI IDS Probe AI IDS Probe IDS Probe | 18 • Need for a unified management system / platform able to handle security-related and non security-related operations • SDN is fine for operating a virtualized IDS infrastructure • Detection service • Reaction service • Cartography service • … • Devices that are the most constrained cannot behave as SDN devices => proxying IOT NETWORK: ACTIVE REACTION THROUGH SDN SDN Controller IDS Service IDS Probe IDS Probe IDS Probe Reaction Service SDN Controller IDS Service IDS Probe HW/SW plugin for techn. #1 HW/SW plugin for techn. #n IDS Probe IDS Probe Node probe Reaction Service Node probe Node probe Node probe | 19 • Preventive security is good, but is not enough: it is always a good idea to complement it with reactive security! • IoT networks are more exposed and more vulnerable than legacy networks. Plus they cannot support many legacy security countermeasures. • Do NOT assume "that IoT traffic will at some point go through a gateway with firewall, IDS/IPS, VPN etc.": that may (will) not be the case  Cf. IoT worm ("IoT Goes Nuclear: Creating a ZigBee Chain Reaction") • IoT reactive security involves Intrusion Detection and may involve Dynamic Network Reconfiguration • On turn, each involves Networking Tweaks and may involve Artificial Intelligence • Network IDS best practices • Distributed • Dedicated probes (monitoring network != monitored network) • Probes HW- and SW- enforced • Cartography capability • Updateable attack signatures • Behavioral analysis is (today) worthwhile in deterministic & critical networks TO SUMMARIZE… | 20 THANK YOU! Commissariat à l’énergie atomique et aux énergies alternatives Institut List | CEA SACLAY NANO-INNOV | BAT. 861 – PC142 91191 Gif-sur-Yvette Cedex - FRANCE www-list.cea.fr Établissement public à caractère industriel et commercial | RCS Paris B 775 685 019