Machine Learning for Ddos Detection in Packet Core Network for IoT
Kubra Saeedi
Computer Science and Engineering, master's level (120 credits)
2019
Luleå University of Technology
Department of Computer Science, Electrical and Space Engineering
Table of Contents
1. Introduction .............................................................................................................................. 3
1.1. Background ......................................................................................................................... 3
1.2. Research Motivation ........................................................................................................... 6
1.2.1. Industrial Scenario ...................................................................................................... 6
1.3. Healthcare Scenario ............................................................................................................ 8
1.4. Thesis Objective ................................................................................................................. 9
1.5. Delimitation ...................................................................................................................... 10
1.6. Research Questions .......................................................................................................... 10
1.7. Research Methodology ..................................................................................................... 11
1.8. Research Contribution ...................................................................................................... 11
1.9. Thesis Outline ................................................................................................................... 12
2. Background and Related Work ............................................................................................ 13
2.1. Attacks, Security Threats and Vulnerability ..................................................................... 13
2.1.1. Vulnerability ............................................................................................................. 13
2.1.2. Threat ........................................................................................................................ 14
2.1.3. Attack ....................................................................................................................... 14
2.2. What is DDoS attack ........................................................................................................ 15
2.3. Direct and Indirect DDoS attack ...................................................................................... 16
2.4. Overview of DDoS attacks ............................................................................................... 17
2.5. How to launch DDoS Attack ............................................................................................ 19
2.6. Types of DDoS Attacks .................................................................................................... 20
2.7. Example of Attack ............................................................................................................ 21
2.7.1. UDP Attack .............................................................................................................. 21
2.8. DDoS Traffic Detection ................................................................................................... 22
2.9. Payload Inspection ............................................................................................................ 22
2.10. Machine Learning ............................................................................................................. 23
2.10.1. Supervised Learning ................................................................................................. 23
2.10.2. Unsupervised Learning ............................................................................................. 24
2.10.3. Reinforcement Learning ........................................................................................... 24
2.10.4. Deep Learning .......................................................................................................... 24
2.11. Machine Learning Classifiers ........................................................................................... 24
2.11.1. K-Nearest Neighbor (KNN) ..................................................................................... 25
2.11.2. Decision Tree ............................................................................................................ 25
2.11.3. Naïve Bayes Classifier ............................................................................................. 27
2.11.4. Logistic Regression .................................................................................................. 28
2.12. Summary of Machine Learning DDoS Detection ............................................................ 29
3. IoT Security Challenges ......................................................................................................... 31
3.1. Security Threats in Mobile Network ................................................................................ 31
3.1.1. GSM (Global System for Mobile Communication) ................................................. 32
3.1.2. UMTS (Universal Mobile Telecommunication System) .......................................... 33
3.1.3. LTE (Long Term Evolution) .................................................................................... 33
3.2. NB-IoT Challenges ........................................................................................................... 36
3.3. IoT Threat Enabling Features ........................................................................................... 38
3.4. IoT Protocols Vulnerabilities ........................................................................................... 39
3.4.1. CoAP (Constrained Application Protocol) ............................................................... 40
3.4.2. MQTT (Message Queuing Telemetry Transport) .................................................... 41
3.4.3. AMQP (Advanced Message Queueing Protocol) ..................................................... 43
3.4.4. XMPP (Extensible Messaging and Presence Protocol) ............................................ 43
3.4.5. UDP (User Datagram Protocol) ................................................................................ 44
3.4.6. 6loWPAN ................................................................................................................. 44
3.4.7. 802.15.4 Standard ..................................................................................................... 46
3.5. IoT Protocol Vulnerabilities ............................................................................................. 47
3.6. Summary ........................................................................................................................... 52
4. Machine Learning for DDoS Detection in the Packet Core Network for IoT .................. 53
4.1. Method for DDoS Detection ............................................................................................ 53
4.2. Experimental Setup .......................................................................................................... 57
4.2.1. Data Collection Phase ............................................................................................... 58
4.2.2. Feature Extraction .................................................................................................... 63
4.2.3. Classification Method Implementation .................................................................... 67
4.3. Summary ........................................................................................................................... 70
5. Results ...................................................................................................................................... 71
5.1. Methodology ..................................................................................................................... 71
5.1.1. Experiment 1: Concatenated Normal and DDoS Data ............................................. 72
5.1.2. Experiment 2: Manual Concatenation of DDoS and Normal Data .......................... 72
5.1.3. Experiment 3: Classification with a Single Attack ................................................... 73
5.2. Classifiers Performance Evaluation .................................................................................. 74
5.2.1. ROC Curve ............................................................................................................... 77
5.2.2. Classifier Comparison .............................................................................................. 79
5.3. Summary ........................................................................................................................... 80
6. Conclusion and Future Work ................................................................................................ 81
6.1. Conclusion ........................................................................................................................ 81
6.2. Future Work ...................................................................................................................... 82
References ....................................................................................................................................... 83
Table of Figures
Figure 1: IoT Ecosystem. ................................................................................................................... 4
Figure 2: Critical and Massive IoT. .................................................................................................... 5
Figure 3: Smart Hospital Scenario [110]. ........................................................................................... 8
Figure 4: Components Involved in IoT. ............................................................................................ 9
Figure 5: DDoS attack network infrastructure. ................................................................................ 15
Figure 6: Direct and Indirect Attack [35]. ........................................................................................ 16
Figure 7: Complex Reflection Attack [35]. ...................................................................................... 16
Figure 8: Attack Life Cycle [37]. ..................................................................................................... 18
Figure 9: Types of DDoS attack [43]. .............................................................................................. 20
Figure 10: TCP SYN Flood. ............................................................................................................. 21
Figure 11: Decision Tree Structure. ................................................................................................. 27
Figure 12: The ITU X.805 Security Framework Architecture [77]. ................................................ 35
Figure 13: NB-IoT Deployment [82]. .............................................................................................. 36
Figure 14: NB-IoT Partial Deployment [83]. ................................................................................... 37
Figure 15: IoT Protocol Stack. ......................................................................................................... 40
Figure 16: IEEE 802.4.15 Secure Transceiver Block Diagram [102]. ............................................. 46
Figure 17: Experimental Research Methodology. ............................................................................ 54
Figure 18: GTP-U Packet illustration. .............................................................................................. 54
Figure 19: End to End Communication in GPT Tunneling in EPC. ................................................ 55
Figure 20: Proposed Method for DDoS Detection. .......................................................................... 57
Figure 21: Fibaro Motion Sensor and Raspberry Pi Camera Module .............................................. 59
Figure 23 a: TCP SYN Attack. ......................................................................................................... 65
Figure 23 b: Fibaro Motion Sensor Traffic. ..................................................................................... 65
Figure 24: DDoS Traffic Protocol (Left) and Normal Traffic Protocol (Right). ............................. 66
Figure 25: Labelling the data. ........................................................................................................... 67
Figure 26: KNN Implementation using Scikit-learn. ....................................................................... 68
Figure 27: Decision Tree Implementation using Scikit-learn. ......................................................... 69
Figure 28: Naive Bayes Implementation using Scikit-learn. ............................................................ 69
Figure 29: Logistic Regression Implementation using Scikit-learn. ................................................ 70
Figure 30: Confusion Matrix ............................................................................................................ 75
Figure 34a: KNN 10-Fold Cross Validation ROC Curve. ............................................................... 77
Figure 34b: Decision Tree 10-Fold Cross Validation ROC Curve. ................................................. 77
Figure 34c: Logistic Regression 10-Fold Cross Validation ROC Curve. ........................................ 77
Figure 34d: Naive Bayes 10-Fold Cross Validation ROC Curve. .................................................... 77
Figure 35: Classifiers Comparison. .................................................................................................. 79
List of Tables
Table 1: DDoS Attack Detection Techniques and Algorithm. ......................................................... 29
Table 2: Classes used for Classification. .......................................................................................... 62
Table 3: Classifiers Summary. ......................................................................................................... 68
Table 4: Classification statistics based on 10-fold cross validation. ................................................ 72
Table 5: Classification accuracy for manual concatenated Data using 10-fold cross validation. .... 73
Table 6: Precision and F-Score ......................................................................................................... 76
Table 7: Schematic Result of ROC Curve. ....................................................................................... 78
Abbreviations
3GPP 3rd Generation (Mobile Communication System) Partnership Project
6LoWPAN IPv6 over Low-Power Wireless Personal Area Network
ACL Access Control List
AMQP Advanced Message Queueing Protocol
CoAP Constrained Application Protocol
CVE Common Vulnerabilities and Exposures
DoS Denial of Service
DDoS Distributed Denial of Service
DNN Deep Neural Network
DNS Domain Name Server
DoNAS Data over Non-Access stratum DoS Denial of Service
DTLS Datagram Transport Layer Security
EC-GSM-IoT Extended Coverage GSM-IoT
EPC Evolved Packet Core
EPG Evolved Packet Gateway
GMM-EM Gaussian Mixture Model using Expectation Maximization
GPS Global Positioning System
GSM Global System for Mobile Communication
GTP-U GPRS Tunneling Protocol-User Plane
HSS Home Subscriber System
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
ID3 Iterative Dichotomiser 3
IETF Internet Engineering Task Force
IMDs Implantable Medical Devices
IoT Internet of Things
IP Internet Protocol
IMSI International Mobile Subscriber Indentity
IPS Intrusion Prevention System
ISP Internet Service Provider
KNN K-Nearest Neighbor
LPWA Low Power Wide Area
LSTM -RNN Long-Short Term Memory Recurrent Neural Network
LTE Long Term Evolution
MDP Markov Decision Process
M2M Machine to Machine
MME Mobility Management Node
MQTT Message Queue Telemetry Protocol
NB-IoT Narrow Band Internet of Thing
NAS Non-Access stratum
NFC Near Field Communication
NTP Network Time Protocol
PGW Packet Gateway
PoD Ping of Death
PDN Packet Data Network
PRB Physical Resource Block
QCI QoS Class Identifier
RF Radio Frequency
RFID Radio Frequency Identification
SALS Simple Authentication and Security Layer
SGW Serving Gateway
SINR Signal to Interference-plus Noise Ratio
SSH Secure Shel
SDK Software Development Kit
SSL Secure Socket Layer
SVM Support Vector Machine
TCP Transmission Control Protocol
TEID Tunneling Endpoint Identifier
TLS Transport Layer Security
TLS Transport Layer Security
UDP User Datagram Protocol
UMTS Universal Mobile Telecommunications System
UE User Equipment
UWB Ultra-Wide bandwidth
WSN Wireless Sensor Network
XMPP Extensible Messaging and Presence Protocol
Acknowledgement
I dedicate this thesis to my family. To the strongest woman of my life, my lovely mother, khaireyah,
The most sympathetic man of my life, Behishti, my father, my one and only uncle Mohammad Sharif
Saiidi, and my wonderful husband Hadi Sultani. Thanks for loving me and believing in me always.
Without your love and support, I would not be able to achieve those I have today.
I am thankful to the Swedish Institute for providing me the opportunity to gain quality education
and to fulfil all those great activities in advancing my knowledge and expertise through the Swedish
Institute Scholarship.
I would like to express my heartfelt thankfulness to my supervisors each, Dr. Saguna Saguna and Dr.
Karan Mitra at Lulea University of Technology, Hakan Oswaldsson and Mans Thornvik at Ericsson
for their guidance and encouragements during my entire research work. From the beginning of my
journey in Sweden until today, Dr. Karan Mitra and Dr. Saguna have helped and inspired me in many
aspects of my master programme. I would like to thank Gonzalo Cornejo from Ericson for helping
me in understanding mobile packet core, introducing to me the security tools and techniques and for
his continuous follow up of my progress. Many thanks to Nada Abdul-Hak for closely following my
work and always referring me to the right resources and directions at Ericsson.
Thanks to Shabna and all wonderful friends in Skellefteå for spending time with me and making the
best memories. Last but not least, thanks to my professors in every course.
Gothenburg, June 6, 2018
Kubra Saeedi
Abstract
With the advent of the Internet of Things (IoT), the number of connected devices is exponentially
growing. This growth is posing greater security challenges that are very crucial to the network
operators, IoT service providers, and the users. Due to the heterogeneous and constraint nature of
IoT devices, implementing security schemas on the devices are very challenging. Attackers have
used IoT devices to launch huge attacks such as Distributed Denial of Service. To protect the services
not be attacked by the insecure IoT devices that accessing mobile core network, raising security
awareness in the core network is the only feasible solution. This thesis presents a comprehensive
study of IoT threats and vulnerabilities from a packet core perspective and proposes a machine
learning DDoS detection and mitigation method in the mobile core network. The proposed method
has been tested using four supervised machine learning classification algorithms, and each of the
performance of the classifiers has been evaluated. The evaluation results show that the KNN
algorithm performs with 99.93% accuracy, Decision Tree performs with 99.31% accuracy, Naïve
Bayes performs with 74.17% accuracy, and Logistic Regression performs with 74.18% accuracy.
1. Introduction
This chapter develops the context of this thesis, describes the motivation, objective, the research
questions, the delimitation and contribution of this thesis work. It also outlines the whole contents of
the thesis in the last section of this chapter.
1.1. Background
Internet of Things (IoT) is defined as a “network to connect anything with the Internet based on
stipulated protocols through information sensing equipment to conduct information exchange and
communications to achieve smart recognition, positioning, tracking, monitoring, and administration
[1].” IoT adds new capabilities and creates new opportunities for end-users by providing IoT-based
applications and services such smart energy management, smart healthcare, process monitoring,
environment monitoring and fleet management [2] [3] [1] [4]. Ericsson forecasted that there will be
approximately 29 billion IoT devices by the year 2022 [5]. Out of which 18 billion devices will be
constrained devices such as a smart switch, motion sensor and door sensor [5] and 11 billions of them
will belong to devices such as smartphones
Figure 1: IoT Ecosystem.
The IoT ecosystem as shown in Figure 1 which consist of three parties such as device manufacturer,
IoT application running on application servers and Evolved Packet Core (EPC) belong to telecom
operator. Each of these parties in the ecosystem should ensure users security, privacy and service
availability [6] [7] [8]. IoT devices transmit packets via Zigbee and Z-wave in the personal area
network while in wide area network packets are transmitted via eNodeB (GSM, UMTS, and LTE).
From eNodeB packets are transmitted to EPC that contains four nodes that are Mobility Management
Entity (MME), Home Subscriber Server (HSS), Serving Gateway (SGW) and Packet Data Network
Gateway (PGW).
IoT is leading the charge in the current digital landscape and offers driving forces such as new
business opportunities, business revenue growth, improved decision making, cost reduction, safety
and security, enhanced citizen experience and improved infrastructure [2]. However, 70% of IoT
devices contain vulnerabilities such as encryption and password security vulnerabilities that open
doors to the attackers for severe attacks like Denial of Service (DoS) [7]. Attackers are trying new
techniques to get through established security to cause damage, steal intellectual property and disrupt
sensitive data. Everyday security attacks are becoming more dangerous and more sophisticated to
defeat. Therefore, we need to identify what type of security control is required [9]. Learning how to
anticipate the attacks is the only way to protect IoT against attacker [3] [2].
In the era of connecting machine-to-machine, machine-to-people and people-to-people, IoT is
classified into two categories of massive IoT and critical IoT based on their requirements and
characteristics as in Figure 2 [10] [11]. The massive number of devices including sensors and
actuators that are very cheap and consuming low power to sustain longer battery life are used in
massive IoT. Smart city, agriculture, transport, and logistics are some use cases of massive IoT.
However, critical IoT applications include remote manufacturing, remote surgery, autonomous car,
etc. that requires high availability, ultra-reliability and low latency [6]. Any security issues leading
to delay or service unavailability of the service in any of these categories will have potential societal
and business impact [12]. Massive numbers of resource-constrained IoT devices that are connected
to the network that generates a massive amount of data creating security challenges to the whole IoT
network due to lack of enough computational power, storage and battery life to execute
authentication algorithms, encryption and security algorithms [7] [8]. Therefore, IoT is very fragile
and vulnerable to any attacks such as Denial of Service (DoS) and Distributed Denial of Service
(DDoS) [13].
Figure 2: Critical and Massive IoT.
1.2. Research Motivation
The IoT that integrates millions of devices connected to the Internet to facilitate our daily lives are
expanding rapidly. Despite all its advantages, IoT poses potential security challenges that need
consideration. The IoT objects are poorly managed, patched and secured [14]. Therefore, currently,
IoT is rendering an army of unsecured heterogeneous devices and protocols.
According to Arbor Security report [15] , IoT DDoS attacks were the most dominant attack in 2017,
and 65% of the attacks overserved in 2016 were a DDoS volumetric attack. The Mirai DDoS attack
[16] which is the most massive attack until now, was made by infecting insecure IoT devices.
Therefore, DDoS attacks should be detected and mitigated. The most common DDoS attacks are
TCP, UDP, SYN and DNS flood. Due to restriction in memory, processing, energy constraints and
heterogeneous nature of IoT devices implementing security solutions on the devices is difficult.
However, we can protect IoT services by detecting IoT attacks in the packet core network. The
motivation is better explained below in industrial and healthcare scenario.
1.2.1. Industrial Scenario
This scenario presents how IoT and its attacks can affect our lives. Due to urbanization and
population, now the need for the green environment is increasing. The only way to maintain a green
and quality environment is installing green roofs. They can improve water quality, decrease carbon
dioxide, decrease the urban heat island, conserve energy, reduce noise and air pollution [17].
However, cutting grasses that grow on the roofs is difficult by a human while grass cutting robots
can easily do it. Purchasing a robot by each of the green roof owners would be expensive and
unnecessary.
However, if a company performs cutting the grass by owning some robots and contracting with the
green roof owners to cut the grass on a schedule based as they grow. IoT can automate this task by a
drone that in enabled with geofencing technology – a service that uses GPS, Cell ID and RFID –to
carry the robots from roofs to roofs. Also, the robots use geofencing not to fall and walk within the
roof fence. So IoT in this specific scenario brings ecological and economic benefits by enabling
communication between devices. Now assume, if an attacker causes DoS or misguide the drones
or/and the robots the consequences can be physical damage or loss of human lives if they fall on
someone.
Therefore, security of IoT is much important, and consequences of IoT attack can be more dangerous
than a Web attack that blocks legitimate user’s access for a while. Attackers may not directly attack
the service and may change the behavior of the IoT devices and the surrounding environment. As
EY states “the security of the “thing” is only as secure as the network in which it resides: this
includes the people, processes, and technologies involved in its development and delivery [4]”.
1.3. Healthcare Scenario
Healthcare is one of the most critical domains that IoT has brought convenience to both physicians
and patients through real-time monitoring, healthcare management, patient information management,
etc. The body sensor network (BSN) technology is another development in IoT that helps the
physician to collect the patients’ information and also monitor them through very constrained devices
that use lightweight protocols for data transmission such as CoAP [18] .
These devices collect as shown in Figure 3 and transmit sensitive data to another node such as a
gateway. Security and privacy of these sensors’ nodes are very important since they hold the
patient’s vital information. Any illegal access, leakage and overhear of these devices can cause severe
damage to the patients. An adversary can change the data fragment and manipulate the packet. The
manipulated packet and altered fragment can cause a lack of integrity in the system that can be very
dangerous and life-critical [19] [18]. For example, if an attacker cause DoS to the devices that alert
the patient’s high heart bits the devices will not alert, and this will cause serious issue and even death.
Therefore, the security of the devices and secure delivery of the healthcare information to the servers
must be considered.
Figure 3: Smart Hospital Scenario [110].
1.4. Thesis Objective
Varieties of researches [1] [2] [3] [4] [7] [8] have been conducted on IoT security threats, and
challenges and some of them have focused on detecting DDoS attacks through machine learning [20]
[21] [22] [23] [24]. However, to the best of our knowledge, none of the state-of-the-art research in
this area have focused on detecting DDoS attacks in the Packet core network. Therefore, this thesis
aims to investigate each component of Evolved Packet Core (EPC)as illustrated in Figure 4 including
Mobility Management Entity (MME) and Evolved Packet Gateway (EPG)n to find out which node
and interface are appropriate to identify and prevent security attacks originated by IoT devices.
Lastly, this thesis aims to propose a machine learning based solution for detecting DoS attacks in the
mobile core network.
Figure 4: Components Involved in IoT.
1.5. Delimitation
IoT ecosystem as shown in Figure 1 contain several entities. Each entity might have vulnerabilities
that an attacker can target. Digging into each entity needs much time and, is also out of this thesis
scope. For example, IoT devices vary in type and capability so considering only device security will
not be a feasible way of protecting IoT services. Even if we come up with a better security proposal,
implementing that solution to all devices will require more time and budget to manufacture and will
increase the prices. Also, a joint study and security consensus of three parties- device manufacturer,
core network and service host- may not be possible as well. Therefore, we have limited this research
on identifying and preventing attacks in the core network which is the only way that will lead to a
secure IoT service.
As connectivity is the foundation of IoT, the cellular network solutions for low power, low cost, long
battery life and extended coverage -Low Power Wide Area (LPWA)- devices within 3GPP standards
technologies is Cat1-M, EC-GSM-IoT, and NB-IoT that handles secure, reliable and efficient data
transmission. The Category M1(Cat-M1) technology functions on 1.4 GHz with 20Bm transmission
power and can extend battery life up to 10 years. While Narrowband IoT (NB-IoT) is also LPWA
radio technology but does not operate in LTE (Long Term Evolution) construct instead, either operate
independently or in unused 200-kHz bands that used in GSM (Global System for Mobile
Communication) or allocating a resource block on LTE base station to NB-IoT. NB-IoT is
specifically designed to save power of the devices while they are not operating and power saving
equals to cost saving. Also, NB-IoT is reliable as it runs on licensed spectrum and it also has larger
coverage compared to EC-GSM-IoT and Cat-M [25] [26]. Therefore, we have limited this research
to NB-IoT.
1.6. Research Questions
This section describes the following questions and set of objects that should be achieved in this
research:
1. What are the relevant security challenges for IoT from a packet core perspective?
The thesis focuses to investigate about security challenges of IoT in Evolved Packet Core.
2. How can machine learning technology be used to detect and prevent a DoS attack against
an IoT network?
In the second research questions, we aim to detect DDoS attacks generated by narrowband IoT
devices in the packet core network through machine learning.
1.7. Research Methodology
This thesis follows the experimental research methodology followed by the researchers [27]. Since
the aim is to detect DDoS attacks through machine learning in the packet core network via the packets
generated by IoT devices, there are three main phases: data collection (normal and DDoS traffic),
feature selection and extraction, and machine learning classification. In the data collection phases,
normal and DDoS traffic have been collected separately. In the second phase, features that indicate
DDoS attacks have been selected and extracted from the captured datasets. In the last phase, the data
have been pre-processed to an acceptable format by Scikit-learn tool [119] and labeled. Then the
dataset is fed to four classifiers (KNN, Decision Tree, Naïve Bayes and Logistic Regression) and the
classifiers performance are evaluated.
1.8. Research Contribution
In the research, we were able to find and analyze IoT vulnerabilities and how attackers can make use
of IoT vulnerabilities to launch a DDoS attack. The main contribution of the thesis is the development
of machine learning based DDoS detection method in the packet core network. Our method leads to
the protection of application servers and services from DDoS attack. This approach is very effective
since its detected very close to the attack source and also helps host system not to invest on building
individual protection systems.
a) The contributions are as follows: An identification of an appropriate node for DDoS
detection in the packet core network.
b) Show how DDoS attack can be detected through machine learning in the packet core network
c) Show the effectiveness of the classification algorithms used through their performance
evaluations.
d) A comprehensive study of IoT architecture and protocols.
1.9. Thesis Outline
The thesis is organized as follows. Chapter 2 provides the necessary background information
regarding IoT security, and machine learning approaches for DDoS detection and as well, describes
DDoS itself, how it can be launched. Chapter 3 presents IoT security challenges from a packet core
perspective including IoT specific protocols and NB-IoT limitations. Chapter 4 describes the
approaches that have taken for DDoS detection in this thesis and also the tools that have been used
including the testbed environment. Chapter 5 describes the results and evaluates the classifier
performance. Chapter 6 describes the conclusion and future work of the authors.
2. Background and Related Work
This chapter represents the security background of the Internet of thing from a machine learning
perspective. The chapter begins by clarifying the difference between attack, threat, and vulnerability
and continues with what a DDoS attack is and how it can be launched. Then it describes how other
researchers have used machine learning to detect a DDoS attack and what techniques they have used.
This chapter also describes the attack life cycle and explains with one example of how one can
recognize attack in the network traffic captures.
2.1. Attacks, Security Threats and Vulnerability
Before going through IoT security threats, we need to understand the difference between attack,
security threats and vulnerabilities that are used when talking about protecting system assets. The
asset is an economic term that is used for sensitive and valuable item maintained by an entity.
However, the principle of an asset in the IoT system includes software, hardware, and services [28].
2.1.1. Vulnerability
A vulnerability is a weakness in an information system, security implementations and internal control
that an attacker can use it to launch an attack or perform an unauthorized activity. A vulnerability
can be in three forms: Flaw in the system, attacker gain access to the flaw an attacker can exploit the
flaw. In order to exploit the vulnerability of the system, an attacker must be able to connect to the
system by any tool or technique. However, vulnerability must not be used interchangeably with risk
since risk the potential impact that system can face by exploiting the vulnerability [29].
IoT has flaws in each of the components. User equipment flaws are very easy identified but difficult
fix due to variance in their types and also lack of enough memory, processor, and power. Software
flaw also exists in IoT including in application services, operating systems and communication
protocols. Software flaws are possible to identify and fix that we have discussed communication
protocol vulnerabilities of IoT in chapter 3.
2.1.2. Threat
A threat is an advantage the attacker has achieved using the vulnerability of the system and it has a
negative impact on the system behavior. Threats can be originated by human and also it can happen
naturally such as by an earthquake, floods and any other natural disaster that damage the computer
system and IoT networks. The natural threat can be prevented to some degree only. However,
preventing the threats that originate by a human is a challenge.
Threats caused by a human can be unauthorized access to the system to perform an illegal and
malicious action. Human threats caused by experienced people to identify the vulnerabilities and
develop code and script to damage the system or perform any illegal activity, e.g., steal business or
government data. These types of threat are called structured threat while unstructured threat can be
caused by an inexperienced human who easily installs the malicious tool in their equipment and have
not enough knowledge about threats that their equipment can cause. IoT devices are as both
structured and unstructured threats [30] [31]. According to Microsoft guidelines, threats should be
identified in a joint teamwork of application architects, security specialists, testers, developers, and
systems administrator. To identity threats, attack tree and attack pattern can be used [32] [31].
2.1.3. Attack
Attacks are the harm and disruption of normal behavior of a system that is caused by misusing the
vulnerabilities through different tools and techniques. Attacks come in different ways with different
motives. One type of an attack is called an active attack which is monitoring un-encrypted network
traffic to find sensitive information. Another type of attack is the passive attack which is monitoring
weakly encrypted traffic to find authentication information. The most common attacks are accessed
attack, physical attack, distributed denial of service attack, attack on privacy like password base
attack and cyber espionage and eavesdropping [31].
2.2. What is DDoS attack
A Denial of Service (DoS) attack is an attempt by an attacker to make network resources
unresponsive to its legitimate users by flooding the service’s host. Distributed Denial of Service
(DDoS) attack is a DoS attack which is originated from different sources [33]. Generally, DoS attack
is initiated from one device or virtual machines using Internet connection while DDoS attacks are
initiated from many different compromised devices, virtual machines to overload the victim systems.
DDoS is performed by sending a considerable number of requests simultaneously through botnets
and compromised IoT devices to exhaust computing resource (Bandwidth and Traffic) of the target.
The compromised devices which are also called bot or Zombie works under the supervision of one
or many of the bot-masters and attack controls groups of bots (botnet) remotely as in Figure 5. Bots
can be either the malicious users who intention is an attack or legitimate users who are infected [34].
Figure 5: DDoS attack network infrastructure.
2.3. Direct and Indirect DDoS attack
The DDoS attack can be launched in two ways either directly or with a reflector as in Figure 6. In
the direct network attack, the attackers directly send the packets to the target victim machine.
However, an indirect attack which is also called amplification or reflection attack the attacker uses a
reflector server and the attacker spoofs the source IP. The attacker sends the IP packet to the reflector
server, and then the reflector server sends the response to the target. In the direct attack, the victim
receives the packet with the same payload as sent by the attacker while in an indirect attack the
reflection server amplifies the request it receives from the attacker and sends the response to the
victim. For Example, if the attacker sends 1Mb/s, the attacker may use amplification for the number
of the packets and/or the bandwidth and the reflector may send more amount of packets than what
it recieves to the target victim. In reflection attack, it is possible to amplify the payload to 4,670 times
meaning that if the attacker sends packet stream of 1Gb/s to the reflector server/s, the reflector will
reply to the victim with the payload of over 4,670 times of the actual payload [35]. In a complex
reflection attack, the attacker uses a master node as well which is also called handler that controls
100 of Zombies in a botnet as can be seen in Figure 7.
Figure 6: Direct and Indirect Attack [35].
Figure 7: Complex Reflection Attack [35].
2.4. Overview of DDoS attacks
In [36] authors state that IoT devices have limitations in battery, computation, memory and radio
bandwidth. Therefore, applying security solutions that generally requires heavy communication load
and more computation resources, are not easy. Authentication, access control and malware detection
of vulnerable IoT devices need to be considered. The IoT including devices, service, and networks
are vulnerable to different attacks such as physical, software, DoS, DDoS, jamming, spoofing, man-
in-the-middle and privacy leakage. In the paper, the authors recommend that machine learning
techniques can be used as a tradeoff between IoT protection overhead and security performance. In
addition, machine learning techniques such as dFW can be used which requires low computation and
communication overhead.
Since the majority of IoT security threats come from insecure IoT devices, authors in [37] have
proposed a network-based technique to detect compromised IoT devices. The proposed technique is
achieved by analyzing the two leading malware families which are Mirai and BASHLITE. This
malware is detected and analyzed by tools available to ISPs such as NetFlow, Packet, and DNS
capture analysis and Honeypot. Authors’ primary goal is to find out the common properties,
techniques, and stages of malware that target IoT. Every IoT malware follow the following four
stages in their life cycle as seen in Figure 8:
1. Scanning is performed by scan engines to find out hosts’ vulnerabilities. Random IPv4 and
subnets are scanned and mostly port 23 which run Telnet daemon is the target, sometimes
port 2323 and any other ports that a weak service is running on is scanned.
2. An Attack is also a common property in IoT malware. The frequent Telnet dictionary attack
is performed using generic credentials such as “admin/admin” and specific hardware vendor
credentials scheme.
3. Infection is performed in different ways such as HTTP download(wget), TFTP, DH/uTP
[38] and echo over Telnet. A compiled C binary of malware is downloaded in this way to
infect the scanned IoT devices.
4. Abuse: IoT botnets perform volumetric DDoS attacks. Most of the DDoS attacks are such
as SYN and SYN/ACK flood, TCP flood, UDP flood, and HTTP attacks.
Figure 8: Attack Life Cycle [37].
According to the authors, attacks mounted by compromised IoT devices follow the same life cycles
and can be mitigated at the ISPs level by the mentioned tool.
Attackers launch DDoS attacks from the cloud by renting virtual machines since these machines have
higher computational power and, they cannot be traced back. DDoS defense system can be
implemented both on the source and destination side. In the destination side defense system, attacks
can be detected only when it reaches the destination which is one of the drawbacks of this type of
defense. However, source side defense systems solve the drawback of the destination side defense
by comparing incoming and outgoing traffic to detect DDoS attacks via D-WARD [39], MULTOPS
[40] and MANAnet [41] systems.
However, authors in [20] proposed a machine learning based DDoS detection system which has one
pre-trained module to identify suspicious actions in the virtual machines and another online learning
module to update the pre-trained module. The system is tested on nine different machine learning
algorithms against ICMP flood, DCP SYN, DNS reflection and SSH brute-force attacks and they are
specified as the machine learning features. The detection result on supervised technique through
machine learning algorithms such as Naïve Bayes, random forest, SVM and Decision Tree is 93 %
accuracy while machine learning algorithm for the unsupervised technique is not discussed.
1. Scan
2. attack
3. Infect
4. Abuse
In [42] an automatic machine learning-based defense against Distributed Denial of Service attack is
introduced. To have a more effective defense system, authors propose an automated learning
approach to monitor resource utilization using Neural Network for anomaly detection, instead of
source side or destination side protection or detection. This method is performed using agents to
report resource utilization. Resources are compared against the specified threshold in a regular time
interval. The system is considered to be under attack while the comparison result is greater than the
limit. Since there is no consensus on what traffic should be considered anomalous, IP header from
layer 3 and TCP header from layer 4 and HTTP requests from layer seven are extracted features for
machine learning as common characteristics of DDoS attacks. Than using machine learning
techniques algorithm are trained to differentiate attacks based on data collected in both normal and
abnormal situation in those three features. It’s claimed that the trained algorithm can detect and drop
the malicious packets before harming the infrastructure. This method has been tested using NCTUNS
network simulator.
2.5. How to launch DDoS Attack
To launch a DDoS attack, initially, attackers identify vulnerabilities of one or multiple groups of IoT
devices to install malicious software on them. When the malicious software is installed on the
devices, they are called zombies. Then the attackers form a large group of zombies geographically
distributed which are called botnet. Each group of zombies has a handler which is a software package
placed over the Internet. The handlers are directly communicating with attackers and zombies since
they have information about the active zombies. While launching an attack, attackers send the attack
to the zombie handlers who will distribute the attack to all zombies. Then zombies will attack the
target system. DDoS attacks which are generated by spoof IP is challenging to handle and filter [43]
[44].
2.6. Types of DDoS Attacks
DDoS attacks are generally classified into three categories as seen in Figure 9. The below-mentioned
attacks are happening in the application, network and transport layers. Attackers are exploiting the
weakness of different protocols in different layers to launch a DDoS attack. For instance, in UDP
flood the attacker overwhelms the target host random port with User Datagram Protocol. The host
continuously checks for the application listening to that port that actually no application belongs to
that port. The host replies with an ICMP ‘Destination Unreachable’ error. This process consumes
host resources that will lead to unavailability of the host to its legitimate users. Protocol Attacks such
as Ping of Death (PoD) and Smurf manipulates Internet Protocol to send malicious pings to a system
[45].
Attackers use Ping Scan technique to discover possible victims and most known Ping Scans are the
UPD, TCP SYN or ACK and ICMP. ICMP scan is effective when Firewall and ACL rules are less
restrictive against LANs or range of Internal IP addresses. However, UDP Scan is useful when
unsolicited UDP traffic and egress ICMP traffics are not blocked in the Firewall. In case of TCP,
scan effectively against stateless firewall that doesn’t reject unsolicited ACK packets [46].
Figure 9: Types of DDoS attack [43].
2.7. Example of Attack
Considering TCP flood attack, the attacker exploits the three-way handshake of TCP communication.
The attacker sends an SYN packet to the server, the server sends back an SYN-ACK packet the client
and keep a port open to receive ACK from the client, but the final ACK never comes from the client.
The attacker keeps on sending the SYN packets to the server and server keeps opening a port
temporarily for a specific time. When all ports are utilized, the server stops working properly and
responding to legitimate users [47]. As in figure 2, when 202.179.158.214 sends [SYN] packet to
192.168.10.5, 192.168.10.5 replies with [SYN, ACK] to 202.179.158.214 and 192.168.10.5 will be
waiting for [ACK] from 202.179.158.214 that never comes. The attacker keeps sending [SYN] each
time by another spoofed IP as you can in row 1, 3, 5 and 7 in the Figure 10.
2.7.1. UDP Attack
In a UDP attack, the attacker sends a colossal amount UDP packet to the target victim, often to a
random port. The host system will be looking for the application on that port. If any service or
application was not running on that port, the host replies with ICMP unreachable message to attacker
source. Since the attacker continuously sends UDP packet and the host also keeps up replying ICMP
unreachable message that will lead to maximum resource consumption of the victim and network
link overload. Eventually, the victim machine will not be able to respond to its legitimate user. Due
to stateless nature of UDP protocol, attackers easily launch UDP flood attack by spoofing themselves.
However, some operating system avoids UDP flood by restricting the number of ICMP response
[48].
Figure 10: TCP SYN Flood.
2.8. DDoS Traffic Detection
Several techniques have been used to detect DDoS attacks by classifying the network traffic, for
example [49] [50] [51] [52]. The purpose of traffic classification is to increase QoS, network security
and improve network resource management. The classification can be either though unidirectional
flow of traffic or bidirectional flow of traffic. The unidirectional flow is flow of the network packet
from a host to a server which contains five-tuple which includes source IP and port, destination IP
and port, and transport layer protocol. While bidirectional flow considers traffics packet sent and
received between hosts.
Pattern detection is a mechanism that detects attacks by knowing the signature of known attacks.
Pattern detections systems are most like virus detection system. Snort is one of the detection systems
that identify attacks by attack signatures [53]. However, Payload Inspection and Machine learning
based traffic classification are the two effective approaches for DDoS detection.
2.9. Payload Inspection
Payload inspection technique does not suffice to unidirectional and bidirectional traffic flow
classification that uses the network five-tuple. Deep Packet Inspection (DPI) is well-known payload
inspection techniques that inspect the packet deeper than protocol header. DPI techniques identify
the matching pattern in the packet by scanning every single byte of the packet, when a matching
signature is found packet is dropped, and network intrusion detection systems prevent attacks through
DPI.
DPI applications can be software-based and hardware-based. Since networking speed is doubling
every year, software-based DPI applications which are deployed on a router port cannot keep up the
line rate easily. Therefore, authors in [54] have proposed a hardware-based technique using a Bloom
filter which performs signature matching without degrading network throughput. A Bloom filter is a
data structure that store signatures as a hash function. Due to the efficient performance of deep packet
inspection system, several pattern matching algorithms such as Aho-Corasick, Commentz-Walter,
Wu-Manbar have been introduced [55].
2.10. Machine Learning
Various machine learning techniques have been used to detect DDoS attacks. Every technique is not
able to detect different DDoS attacks, and different algorithm provides different result based on the
data attributes and that specific technique. For instance, Manjula et al. [21] evaluation show that
Fuzzy C-Means algorithm in unsupervised clustering techniques has better performance based on
twenty-three extracted features as compare to other algorithms. Still a unique technique with a set of
features to detect all types DDoS attacks is not proposed. The major problem with DDoS detection
is distinguishing attack generated by legitimate users and real-time detection due to involvement of
massive amount of data in the current network. Peter et al. [43] experiments show that Long Short-
Term Memory Recurrent Neural Network (LSTM RNN) deep learning technique is effective in
detection of DDoS attacks on the network. Choice of supervised or unsupervised machine learning
algorithms depends on different criteria such as data volume and structure and DDoS type. The below
three machine learning has been for DDoS detection in the IoT.
2.10.1. Supervised Learning
Supervised machine learning is a technique in which we teach an algorithm what conclusion it should
provide; also, the possible outputs are already known, and the training data is already labeled with
the right answer. Deep Neural Network (DNN), Neural Network, K-Nearest Neighbor (KNN),
Support Vector Machine (SVM) and Naïve Bayes algorithms are used for IoT devices network
intrusion, DDoS and spoofing attacks attack classification [36].
2.10.2. Unsupervised Learning
The purpose of unsupervised learning is that the machine learns about the data and find inherent
groupings in the data. Hidden Markov Model, Fuzzy C-Means, and Multivariate Correlations are
some of the unsupervised techniques used to detect DDoS attacks.
2.10.3. Reinforcement Learning
It is another type of machine learning technique which requires no training data, and the machine
learns the ideal behavior based on trial-and-error method. Markov Decision Processes (MDPs), Q-
learning, Dyna-Q and Post-Decision State are the algorithm used in reinforcement learning for IoT
authentication, malware detection and anti-jamming transmissions [36] [56].
2.10.4. Deep Learning
In deep learning technique, multiple levels of features exist, and they are automatically discovered.
Each level of the features is discovered from the previous level feature. Research shows that deep
learning has a high potential for anomaly detection in the context of SDN [57].
2.11. Machine Learning Classifiers
There are varieties of machine learnings algorithms that are used for classification and clustering.
We have used the below classification algorithms for binary classification- classifying DDoS traffic
and normal traffic) in this thesis.
2.11.1. K-Nearest Neighbor (KNN)
The KNN [58] [59] is a powerful and robust classification algorithm. KNN is also called Instance-
based learner that means that the algorithm memorizes the training instances instead of learning a
model. For example, when a query is made to a database or when we ask the model to predict the
output based on the given input, the model will split the answer. KNN is from the supervised family
of machine learning algorithms that requires labeled datasets of the training samples (x, y) and predict
the relationship between x and y. The purpose is to learn a function h: x→y to predict the target y
from the invisible observation!, ℎ(!).
The KNN classifier works in the following way with a given positive integer $, a similarity matric
d and an unseen observation !:
1. It goes through the entire datasets and computes % between each of the training observation
and !. The closest K points in the training data to !the set &. To prevent tie situation, the
K is often an odd integer.
2. Then it estimates the conditional probability for each of the observation.
The decision boundary of the KNN classifier depends on K variable. The K variable as
hyperparameter in KNN must be decided by the designer or the data scientist who is performing the
machine learning tasks, and the K value should be the best possible fit integer for the dataset. A
small K value will lead the classifier to be blinder since we are limiting the boundary of prediction
for the classifier. However, the higher K value will lead to smoother decision boundaries and more
resilient to outliers since there will be more voters in each prediction [59]. The distance metric or the
distance function % is the Euclidean distance for KNN algorithm.
2.11.2. Decision Tree
Decision Tree is the famous machine learning algorithm used to build a classifier to classify unknown
data from the trained data. A decision tree can be either a binary tree or a non-binary tree which
contains a root node, internal nodes, and leaf nodes. The root node contains all the observations and
each of the internal nodes holds a feature test. The decision is made in the top-down recursive
method, and the leaf node category is returned as result as shown in Figure 11. The C4.5 decision
tree algorithm selects attributes based on the information gain rate and improves ID3 (Iterative
Dichotomiser 3) which is a Decision Tree algorithm that generates decision from the dataset [60].
The Decision Tree algorithm classifies the data or unseen case by traversing the tree and it has been
used to detect DDoS attacks. The authors in [61] have used decision tree algorithm to detect an attack
and trace back the attacker’s location.
2.11.3. Naïve Bayes Classifier
The Naïve Bayes is a simple probabilistic classifier based on Bayes’ Theorem which is useful for
large dataset [62]. Naïve Bayes model easy to build when the features in the datasets are independent
of each other. It’s a fast classifier and not sensitive to unrelated features. The Naïve Bayes performs
very well in binary cases for example when the classification purpose is to discriminate if the
incoming packets are DDoS or normal. Bayes theorem calculate posterior probability in the equation
below and the classifier assumes that the value of the attribute on a given target is not dependent on
the value of any other attribute [62] [63]. A posterior probability is a conditional probability that is
the value of the feature for an unseen event. The naïve Bayes learns by computing the probability of
the training data.
'()|+) = '(+|))×/(0)'(+)
(1)
Equation 1: Bayes’ theorem.
Where,
• 1(2|3)456ℎ789567:49:8:9;<;4=46>9?6<:@76@4A7B<66:4;C67.
• 1(2)456ℎ78:49:8:9;<;4=46>9?6<:@76.
• 1(3|2)456ℎ78:9;<;4=46>9?6ℎ7<66:4;C67@4A7B6<:@76.
Root (Sample Data)
Internal Node
Output Value Output Value
Internal Node
Output Value Output Value
Figure 11: Decision Tree Structure.
• 1(3) is the prior probability of attribute.
There are two assumptions in Naïve Bayes usage. One assumption is that the features must have
categorical values that can lead to over-sensitivity while another assumption is that features of cases
are distributed independently. In network traffic, the features are depended on each other however
still Naïve Bayes result is satisfactory
2.11.4. Logistic Regression
The logistic regression as a classifier is used to classify binary datasets with one more attribute to
predict the target. Logistic regression analyzes the relationships between the attributes variables
EF, EH, EI …EK and response variable L. The response variable in case of classifying normal and
anomaly traffic is L=0 and L=1 respectively. The response variable uses Bernmoulli distribution and
the probability function is in equation 1 [64].
?(>M) = [8F]]PQ[1 − 8]FTPQ (1)
The generic logistic model is in equation 2.
The Maximum likelihood method is mostly used in logistic regression as parameter estimation
method the function is following:
(2)
(3)
2.12. Summary of Machine Learning DDoS Detection
Distributed Denial of Service is the main threat that the Internet of thing is confronting. Due to
variance in the type of DDoS attack, still a global solution is not provided. However, researchers are
continuously working on detecting and mitigating DDoS using different techniques and algorithms
at the attack source side, in the middle and on the victim side.
Based on the survey in [65] common DDoS attacks such as UDP, SYN flood, ICMP etc. is detected
by Probabilistic Packet Marking (PMM) and Deterministic Packet Marking (DPM) techniques,
entropy variation, proactive and reactive IP Traceback techniques, Intrusion Detection and
Prevention Systems (IDS/IPS) such signature-based detection and anomaly-based detection. Each of
these techniques provides a different result. Authors in [66] propose another method of DDoS
detection to overcome the drawback of statistical and classification-based methods using the multi-
protocol-fusion feature (MPFF) in Socially Aware Networking (SAN). The MPFF method is based
Autoregressive Integrated Moving Average detection model which effectively distinguish between
normal and DDoS traffic. While on the other hand, some of the researchers are trying to detect DDoS
using machine learning different techniques and algorithms that some of the recent researches are
summarized in Table 1.
Table 1: DDoS Attack Detection Techniques and Algorithm.
Sr# Type of Attack Techniques Algorithm/Accuracy Detection Location
Contributor
1 IP, TCP and HTTP
a. Monitoring resource utilization
b. Anomaly detection
c. Traffic Filtering
Artificial Neural Network Destination [67]
2 SSH Brute-force attack, ICMP flooding attack, DNS reflection, TCP SYN
a. Supervised b. Unsupervised
a. Linear Regression, SVM, Decision Tree, Naïve Bayes, Random Forest
b. K-means, GMM-EM 99.7 %
Source [20]
3 IP, TCP, UDP, ICMP
Clustering Fuzzy C-Means, Decision Tree, Naïve Bayes, K-means, SVM, KNN
98.7
Not Mentioned
[21]
4 Flooding attack on OSI layer 3, 4 and 7
a. Signature based detection
b. Anomaly based detection
c. Machine learning
C.4.5, Naïve, K-Means
98.8
Source [22]
5 HTTP Supervised Classification
Naïve Bayes, K-NN
90%
Not mentioned
[23]
6 TCP and UDP in SDN environment
Deep learning J48, Naïve Bayes, NB Tree, random forest, random tree, multi-layer perception, SVM
82.2 %
Source [24]
7 TCP, UCP, ICMP Deep learning using TensorFlow framework
Long Short-Term Memory -RNN
99.968%
Network [68]
8 TCP, UDP, HTTP GET
Classification KDTree, SVM with linear Kernel, Decision Tree, Random forest, and NN
99%
Source [69]
9 DDoS attacks based on UCLA dataset
Classification KNN combined with authors proposed algorithm
Not mentioned
[44]
10 TCP, GET/POST Classification Naïve Bayes, KNN, Decision Tree, multi-layer perception, SVM
Not mentioned
[70]
3. IoT Security Challenges
The security of enormous connected objects that form IoT is now a big concern for the smart or
connected object users, the Internet Service Providers, mobile networks and service hosts. As IoT
generic architecture is shown in Figure 4 of chapter 1. The object’s or user equipment’s security
challenges are discussed in section 3.2. However, the security challenges of the mobile core network
are not discussed widely, hence section 3.1 will discuss the vulnerabilities which exists in the core
network that the attacker can target.
3.1. Security Threats in Mobile Network
To understands threats in mobile network, we need to understand architecture of packet core network
first. The packet core architecture components are disrobed briefly below:
1) User Equipment: The User Equipment is any device such as smartphones and IoT
constrained devices that communicate with the network and consume services. Each of the
user equipment holds a unique identity while communicating in the network.
2) eNodeB: Evolved NodeB is abbreviated as eNodeB or eNB, and it is an element of the LTE
network. eNodeB connects user equipment to EPC through an air interface. The link between
eNodeB and UE is called Radio link. According to 3GPP release 8, eNodeB is responsible
for radio resource management, user data stream encryption and IP header compression,
routing user plane to SGW, scheduling and transmitting paging message and broadcast
information, selection of MME at UE attachment while UE information does not provide
routing [71].
3) MME: Mobility Management Entity generally deals with control plane and handles
signaling related to eNodeB security and mobility. However, MME also deal with user plane
in Do-NAS (Data over Non-Access Stratum). Additionally, MME is also responsible for
paging user equipment is idle mode and tracking area list management, roaming, NAS
signaling and NAS signaling security [72] [73].
4) HSS: Home Subscriber Server is a network element that is responsible for storing all
subscribers’ specific authorization and service profiles. HSS acts as a database that holds
both public and private identities of the subscribers, the credentials, IMSI and data that used
to indicate the service type each subscriber is using. When the device is requesting the radio
resources, HSS is queried to check the status of the device-specific IMSI. Some other
functionality of HSS includes subscriber location function, home location registers for
mobile roaming, subscriber service permission, subscriber preference setting and mobile
authentication server [74].
5) SGW: Serving Gateway is the local mobility anchor handover points for inter eNodeB. SGW
is responsible for lawful inspection, packet forwarding, and routing, uplink and downlink
charging per PDN, UE, and QCI [73].
6) PGW: Packet Data Network Gateway connects EPC to external IP network. PGW
functionalities include DPI (Deep Packet Inspection), IP allocation to UE, lawful inspection,
user packet filtering, uplink and downlink service level charging and policy control [73].
3.1.1. GSM (Global System for Mobile Communication)
Over the years, the mobile network has shifted from generation to generation, and each of the
generations has its security vulnerabilities. Authors in [75] has listed GSM(2G) vulnerabilities that
can be misused and some of them are as following:
• Vulnerable to the man-in-the-middle attack
• Vulnerable to replay attack
• Flaws in the implementation of A3/A8 algorithm
• Short range protection-encryption over the airways only between MS and BTS
• the users’ anonymity leakage
• Vulnerability to DDoS attack by sending CHANNEL REQUEST messages
• No integrity protection
3.1.2. UMTS (Universal Mobile Telecommunication System)
UMTS which is also called 3G-mobile systems is compatible with GSM/GPRS. Despite the specific
security architecture of UMTS(3G) that led to the emergence of new services and key role in network
evolution, mobile users’ identity and the location is one of the concerns with 3G. Users identity might
be identified by IMSI in wireline path signaling. Another problem is Firewalls which had already a
security problem with the fixed network and carries that problem to the 4G mobile network as well.
Firewalls are protecting UMTS clear-text data from external attack. However, attacks can happen
from another mobile network subscriber, from anyone who can access the UMTS core network. The
existing VPN also does not provide the required flexibility to establish secure connections for mobile
users. Data privacy also a concern with UTMS since in WAP architecture the data transmitted inside
the gateway is not encrypted [76].
3.1.3. LTE (Long Term Evolution)
The next generation of the mobile telecommunication system which is known as 4G is recognized
by its increased security and reliable communication. The 4G network is entirely IP based since it
uses TCP/IP architecture. The evolution of GPRS infrastructure that led to 4G has different
components, and the main components are MME, HSS, SGW, and PGW-refer to figure 1 in chapter
1. All the components make the Evolved Packet Core (EPC) which is also called EPS (Evolved
Packet System). The architecture in 4G contains two elements only which EPS and eNodeB-refer to
Figure 1 in chapter. Researchers of [77] [78] has classified LTE threats into the following categories:
a) Users Identity and Privacy: Illegal access and usage of users’ equipment identity to access
network services or modification of user’s identity to perform malicious activity.
b) User Equipment Tracking: IP based tracking UE/UEIM that might be linked to an IMSI.
c) DoS Threat: Possibility of launching DoS attack against another user equipment.
d) Unauthorized Access to The Network: Any unauthorized access to EPC component can
lead to different attacks and security degradation.
e) Physical Access to eNodeB and Compromise eNodeB credentials: Unauthorized access
to eNodeB can lead to launching an attack to any node in EPC. Faked or cloned credentials,
false configuration, and data associated with an algorithmic remote attack can cause major
security issues.
f) Protocol Attack: Exploiting security vulnerabilities of any protocol in any node’s interface
can cause DDoS attack and any other security issues easily.
g) Jamming: Jamming is an attack in which a jammer transmit energy through RF vector to
disrupt a service or cause a denial of service. Jamming in LTE can be performed in uplink
and downlinks. In the uplink, jamming is targeting the base station while in downlink
jamming the target is user equipment where the signal is transmitted from base station to
user equipment. Protocol-aware is another form of jamming attack in LTE network that is
enabled by protocol openness. Also, messages broadcasted by the base station is not
encrypted that can lead to eavesdropped and sniffing attack [78]. Anastasios et al [77] states
that the framework security architecture of X.805 illustrated in Figure 12 is recommended
for 4G wireless network as well. The X.805 network security is structured in three layers
which are application, service and infrastructure layer, eight planes which user, control and
management plane, eight security dimensions which are access, control, authentication, data
integrity, data confidentiality, non-repudiation, privacy, communication security, and
availability.
Yongsuk et al [79] survey shows that due to the heterogeneous and IP based network nature of 4G
there are possibilities of new threats that might lead to a disclosure of information and service
unexpected interruption. The possible threat in 4G consists of user ID theft, Service theft, DoS, IP
spoofing and a massive number of connected heterogeneous devices are also considered as a potential
security holes for the infrastructure. These devices that 4G connects them can overwhelm any node
of the 4G mobile network in different ways like DDoS. Security issues have no ending easily, and
security research and development will always be open.
Figure 12: The ITU X.805 Security Framework Architecture [77].
3.2. NB-IoT Challenges
Narrowband IoT is LPWAN radio technology that enables a broad range of services and devices to
be connected to cellular telecommunication band, specifically designed for IoT and standardized by
3GPP [80] as discussed in chapter 1 under delimitation section. NB-IoT is developed to transmit a
small packet of data generated by low power and less talkative IoT devices that may transmit several
bytes of data per day. NB-IoT operates on 880-960MHz and 791-832KHz [81]. However, there are
some limitations in NB-IoT that might be targeted by an attacker. However, there are some
limitations in NB-IoT that might be targeted by an attacker. The purpose of NB-IoT as introduced
in 3GPP Release-13 are improved indoor coverage of 20dB compared to legacy GPRS devices,
support at least 52547 number of low-throughput devices, reduce complexity and efficient power
consumption with a target of ten years battery life of 5 What 164 dB MCL battery capacity. NB-
IoT can be deployed in stand-alone mode, in-band mode and within the guard-band of an existing
LTE carrier as shown in Figure 13 [82].
Considering the existing LTE infrastructure where a portion of LTE cell is supporting NB-IoT, the
problem arises when the devices must be served by the best NB-IoT cell which is far from the device,
but the strongest best LTE cell is close the device as presented in Figure 14. In this case, the coverage
is challenging, and there is a significant path loss from the serving cell. Therefore, there might be a
Figure 13: NB-IoT Deployment [82].
low SINR and weak coverage due to LTE cell interferences in NB-IoT partial deployment. Another
problem with NB-IoT arises from the asynchronous network. NB-IoT suffers from co-channel
interferences. Though Physical Resource Block (PRB) blanking is an approach to avoid co-channel
interference when subframe-level synchronization which exists among the cells. If the NB-IoT cells
are properly synchronized with, and NB-IoT cell subcarrier cells are orthogonal with LTE subcarrier
cell, NB-IoT cells will not face interferences from adjacent LTE PRBs. However, if the cells
synchronization and orthogonality is not maintained, the adjacent LTE PRB can potentially interfere
[83].
Since NB-IoT is a new and emerging technology, there are some open issues and limitations that
need to be addressed. NB-IoT’s design purpose is to support huge heterogeneous devices and
different applications that are extremely varying in requirements such as latency, reliability,
bandwidth. The heterogeneity nature of IoT is making it a challenge to build a uniform framework.
Security and privacy are another concern of everyone with IoT. The same concern is with NB-IoT
due to the possibility of eavesdropping attack because of the PF radio channel weakness. Also,
constrained nature of the device and narrow bandwidth feature of NB-IoT make it more challenging
to run an effective security technique through simple algorithms, since the majority techniques
require enough battery and processing power for message exchange. Old energy management and
control technology with the complicated channel of NB-IoT is also a big issue and energy capacity
Figure 14: NB-IoT Partial Deployment [83].
of the current devices are considered to be very low to meet NB-IoT feature [84]. Another issue with
NB-IoT is that S11-U interface might crash with larger packet sizes.
3.3. IoT Threat Enabling Features
According to the researchers in [85], new security threats and challenges are emerging from IoT. To
understand the new threats, we need to understand the new features of IoT that cause the threats.
Some of the features that cause threat is briefly explained below:
1. Ubiquitous: IoT is involved in every aspect of our lives. People with no knowledge of the
security of the devices are using them and also, the manufacturers do not pay much attention
on devices security. Manufacturers do not provide any security suggestion and information
about sensitive data that the device collects. One of the current attack causes is insecure
default configuration of these devices. However, network operators can view and control
abnormal behaviors of the devices.
2. Intimacy: There are intimate relationships between IoT devices and users. Some devices
collect sensitive biological data and also monitors our environment. An attacker can easily
gain sensitive data to identify if the home is occupied. e.g., by interfering activity from smart
home network traffic [86].
3. Diversity: IoT has varieties of devices, use cases and applications. Different Cloud platforms
are managing IoT by different security mechanism and protocols. Diversity in devices
capability and protocols make it difficult to have a global defense system. Attackers take
advantage of this diversity to launch DDoS attacks. Intrusion Detection System (IDs),
Intrusion prevention systems (IPS) and anomaly detection system would help to prevent
attacks.
4. Unattended: Some of IoT devices like Implantable Medical Devices (IMDs) are a special
purpose devices. These constrained devices operate in a special physical environment for a
long time without human intervention. Both applying security computing and identifying if
these devices are hacked remotely is very hard. However, authors in [87] propose a
lightweight trusted execution environment for these types of embedded devices.
5. Mobile: Many IoT devices are mobile and moving from network to network. For Example,
a smart vehicle that collects road information when moving from a place to another.
Attackers can spread malicious code by injecting the code in mobile device or node.
Dynamically change of device configurations in different networks would decrease the
probability of being attacked.
3.4. IoT Protocols Vulnerabilities
IoT uses different communication technologies for connecting heterogeneous devices for delivering
services. IoT protocol examples are Wi-Fi, Bluetooth, Z-Wave, IEEE 802.15.4 and LTE. IoT also
has some specific communication technologies such as Ultra-Wide Bandwidth (UWB), Near Field
Communication (NFC) and RFID. The possible threats in IoT protocols should be identified before
using countermeasures. IoT specific protocols as in shown Figure 15 are first introduced and then
their vulnerabilities are explained below.
Figure 15: IoT Protocol Stack.
3.4.1. CoAP (Constrained Application Protocol)
The lightweight CoAP is an application layer protocol designed explicitly by IETF for constrained
devices. This protocol can integrate with HTTP including GET, POST, PUT and DELETE in a client-
server architecture. CoAP runs over UDP while with low overhead, and it also supports multicast
communication. It has two types of messages which are CON (Confirmable) and NON (Non-
Confirmable) messages with a maximum length of 1400 Bytes with 32 bit of header length [88].
To secure the messages Datagram Transport Layer Security (DTLS) binding to CoAP is needed.
Although DTLS is an extra protection layer for the Application layer security, but there are ongoing
debates about DTLS limitations. CoAP challenges with DTLS include a large header of DTLS that
do not fit in IEEE 80.2.15.4 MTU, high handshake, incompatibility with CoAP Proxy mode and
computation cost.
Application Layer
•CoAP•MQTT•AMQT•XMPP
Transport Layer
•UDP•DTLS
Network Layer
•6LoWPAN
Link Layer
•IEEE 802.15.4
However, the header for a large message and high handshake is compressed over 6loWPAN protocol
and in 6LoWPAN-GHC (Record + Handshake) 3-5 bytes of the header is reduced, but the authors
have not mentioned if the compression has affected the security [89]. Another limitation of DTLS
according to the authors in [90] is group communication. DTLS does not support multicast while
CoAP is using multicast to broadcast services to a group at the same time, e.g., turning on the smart
lights of all rooms in a floor once. For secure multicast, a proxy/6loBR is proposed to translate from
HTTP to CoAP and from TLS to DTLS. The proxy decides if the destination is multicast or unicast.
However, authors in [90] believe that it is not possible for HPPT and its underlying protocol to
indicate a message as multicast. When HTTP clients want to get a service with CoAP backend server,
the proxy translates the requested packet with scanning. Although CoAP is one of the widely used
protocol in IoT with the help of DTLS but there are areas where DTLS cannot handle security and
performance simultaneously.
The experiment performed in [91] shows that DoS attacks can be launched by repeatedly sending
CoAP request to a border router in a smart home. The result shows that by sending malicious requests
every 500 ms, 75% of legitimate packets are lost and smart home gets easily damaged by CoAP
flooding. However, by enabling secure mode of transceivers, no impact on the communication is
observed under DoS attack.
3.4.2. MQTT (Message Queuing Telemetry Transport)
MQTT is a message protocol that utilizes the broker-based publish-subscribe protocol to connect
constrained devices and network with middleware and applications. In a publish-subscribe system,
messages are delivered from a publisher to subscriber based on the parameter of the messages and
publishers and subscribers have no information about each other’s identity. The publisher in MQTT
runs over TCP and convey the message via three level of QoS. MQTT has three components which
are a publisher, subscriber, and broker. MQTT is an appropriate message protocol for IoT and M2M
communication that requires low power, low memory, and low bandwidth [92].
Ahmad et al [93] has categorized IoT threat agents in MQTT system into four types:
1) Malicious Internal User: The user has legal access to the device and uses the device for
malicious purpose. The malicious user who has access to MQTT broker can generate attack
as well.
2) Curious User: The user or a researcher who want to find the gap and vulnerabilities in IoT
environment.
3) Bad Manufacturer: The manufacturer who leaves a door open for attackers to get
information about the user of devices or remotely access the devices. Then adversaries can
inject malicious code in MQTT client or the broker to launch an attack or collect sensitive
information.
4) External Attacker: The expert hacker who gets access to any component of MQTT based
system to perform malicious activity.
In MQTT based IoT environment attackers can launch DoS, spoofing identity, information
disclosure, elevation of privileges and tampering data. In the MQTT system where the broker’s
main task is to deliver messages from the publisher to the subscribers, disrupting broker services
can cause DoS. Also, attackers cause DoS by exhausting MQTT client and broker by sending
messages larger than 256 MB which is the MQTT’s maximum payload size. Additionally,
MQTT is based on TCP, and it is vulnerable to TCP attacks like bandwidth consumption, SYN
flood etc. DoS attacks. Unsecured MQTT broker can cause varieties of threats to IoT. For
exampling if attacker access to a compromised broker, can result in publishing all information
or sensitive information to the public and modifying the information stored in broker or
launching DoS [94]. Although MQTT relies on SSL/TLS for security mechanism, implementing
them on constrained devices is expensive [95].
3.4.3. AMQP (Advanced Message Queueing Protocol)
AMQP is a lightweight M2M communication protocol that supports publish-subscribe and request-
response architecture. AMQP system requires an “exchange” name for publisher and subscriber to
discover them. That name can be created either by the publisher or subscriber and broadcasted. Then
the subscriber creates a “queue” and attaches it to the “exchange” and the exchange messages must
match to the queue through “binding”. AMQP runs over TCP like MQTT and uses SSL/TLS and
SALS for security. Its connection-oriented and is considered a reliable and secure protocol [96].
Although AMQP is using SSL/TLS -based encryption on TCP-based transmission but still there are
vulnerabilities that an attacker can use to intercept IoT communication. Since the underlying protocol
for AMQP is TCP/IP and attackers have already exploited TCP weakness in different ways.
Therefore, AMQP is also susceptible to IoT systems [97].
3.4.4. XMPP (Extensible Messaging and Presence Protocol)
XMPP protocol is based on XML (Extensible Markup Language) and provides real-time
communication. XMPP is a client-server architecture and runs on TCP/IP stack. Since XMPP is
based on XML in numerous custom application it can be used such as instant messaging service,
notification, communication between machines, objects, sensors actuator etc. For secure
authentication and encryption, XMPP uses SASL and TLS [98].
Authors in [95] states that XMPP has failed in providing end-to-end encrypted communication for
IoT implementation and deployment. Insecure XMPP is vulnerable to attacks like password sniffing,
eavesdropping, accessing the servers through an unauthorized entry, inserting, deleting, replaying
and many more attacks.
3.4.5. UDP (User Datagram Protocol)
UDP is one of the widely used protocols in IoT. UDP is stateless and fast in datagram delivery in
many use cases of IoT like a camera. It is unreliable and insecure protocol; therefore, attackers have
been launching different types of attacks using the UDP protocol. Devices that use UDP can be used
to launch DDoS attacks. This protocol is used in this thesis to launch a DDoS attack.
3.4.6. 6loWPAN
The 6loWPAN which stands for IPv6 over Low-power Wireless Personal Area Networks is designed
by IETF for low power and lossy networks that are compatible with IEEE 802.15.4 standard as its
physical layer and communication layer for MAC. Devices that use 6LoWPAN are recognized by
their lower bit rate, short range, low computational power, low cost and constrained memory.
Authors in [99] have investigated to discover vulnerabilities in 6loWPAN through fuzzing
methodology using Scapy. Fuzzing is a highly automated technique that is widely used to find
unexpected scenarios and flaws in network protocols that might be exploited by an attacker.
Authors of [100] state that an attacker can misuse routing mechanism and fragmentation of
6loWPAN to reject the correct processing of legitimate fragment packet. The researchers have
considered constrained devices with tens of kilobytes of RAM, few MHz of computational power
and communicate over low power wireless network and 6loWPAN is vulnerable to the following
attacks: Fragment duplication attack in 6loWPAN layer in which the recipient cannot differentiate
the legitimate fragment from spoofed fragment and it has to process all the fragments that it receives,
apparently belongs to the same IPv6 according to the 6loWPAN tag and MAC address of the receiver.
The attackers can selectively block specific fragment at the target node. For example, the block the
handshake packet of DTLS protocol to avoid a secure communication by inspecting the packet that
contains DTLS message. Then the attacker can inject his random payload with spoofed FRAGNs
and a fragment that connects the attacker fragment to the legitimate 6loWPAN packet. Similarly, the
attackers can block and inject any fragment.
Buffer reservation attack is another type of attack in 6loWPAN layer in which the attacker targets
the scare memory of the constrained devices. In this attack, similar to previous attacks, the target
cannot differentiate between legitimate and attack fragment. To launch a buffer reservation attack,
the attacker initiates a single FRAGE1 with some random payload and direct it to the target node.
The target node will receive the FRAG1 that reserve the buffer for reassembly of the attackers’
fragment packet if the target node’s buffer is not occupied already. Then, the attacker either do not
send the remaining FRAGNS or will reserve the buffer resources by periodically sending the
FRAGNs according to the timeout value of the target node. Hence, the target is not able to process
any other fragment packet. In both buffer reservation and fragment duplication attack, the attackers
identify its target node by the routing mechanism used in 6loWPAN network [100].
Another recent research [101] classifies 6loWPAN security threats into an end-to-end and hop-by-
hop attack. The hop-to-hop attacks of 6loWPAN networks are caused by internal malicious nodes
that want to damage the network. This type of attacks targets radio hops, routing discovery process
and physical link. Jamming, tempering, battery exhaustion, Sybil, wormhole, blackhole, spoofing
and selective forwarding attacks fall under this category which is caused due to non-protected
equipment and the ability of the attacker to manipulate 6loWPAN layer. The end-to-end attack on
WSN IPv6 based networks is caused by external unauthorized equipment. Attacking on end-to-end
link damage the entire network. The end-to-end security is essential to avoid packet modification and
to rebuild the fragments since the equipment performs reassembly in IPv6 and packet fragmentation.
Attacking of this category happens between the IPv6 end host and 6loWPAN border router. For
example, overwhelming the edge router by generating massive amount of traffic or interrupting the
communication by injecting false messages in the border router.
3.4.7. 802.15.4 Standard
With the growth of IoT, IEEE 802.15.4 standard of the physical layer is also getting famous because
of low power consumption. However, secure data communication is a big challenge in the low power
consumption protocol. Many techniques have been recommended to provide secure communication
over different layers of the protocol stack. These techniques are computational security which is a
physical layer and upper layer encryption and information-theoretic security which can be done by
physical layer security methods at the physical layer. Physical layer encryption methods are
dependent on data modulation scheme. Majority of the security schemes are for upper layers security
such as end-to-end encryption at various protocols in upper layers, but still, they cannot prevent
threats and attacks such as flooding attack, DoS and traffic analysis. [102]. The 502.15.4 security is
supported by the MAC layer that offers security services like integrity and confidentiality. However,
these services can be achieved at the cost of power consumption which is not easy for 802.4.15. The
steganography method is proposed [103] for the secret data transmission by creating a covert channel.
The main disadvantage of this method is low data rate over a covert channel.
Authors of [102] has proposed a secure IEEE 802.15.4 transceiver architecture that uses low power.
The efficiency of the architecture is tested against traffic analysis attack, energy depletion attack,
brute force search attack and also offers the main security services such as confidentiality, integrity,
availability, authentication and data freshness. The block diagram of the proposed architecture is
shown in Figure 16.
Figure 16: IEEE 802.4.15 Secure Transceiver Block Diagram [102].
Meanwhile, authors in [104] also state that physical layer is vulnerable to jamming and
eavesdropping attack due to the broadcast nature of wireless communication and classify physical
layers security techniques into the following: Information-Theoretic security, artificial-noise added
security, security-oriented beamforming, security diversity methods and physical layer secret key
generations.
According to the research in [105] IEEE 802.15.4 is vulnerable to integrity protection, IV
management, and key management. IV management problem arises from the same key usage in
multiple ACL entries. Since the keys and their associate nonce are stored in 255 ACL entries, the
confidentiality property of security will break if the same key is used in two different ACL entries.
As we know 802.15.4 devices are battery bases and when a device power fails, the ACL state will be
lost. when the power is stored the device will emerge either with clear ACL table or the nonce state
might reset to zero which is compromising the security. Another category of the problem with
802.15.4 is key management. When the devices want to communicate amongst themselves, there is
no support for group keying and shared keying. In addition, 802.15.4 is vulnerable to the single-
packet denial of service while AES-CRT suite is with replay protection enabled.
3.5. IoT Protocol Vulnerabilities
IoT expands the global network of connected devices. This network of insecure connected devices
brings challenges to the network operators. To investigate and address security issues of these devices
from a packet core perspective, understanding and identifying the communication protocol
vulnerabilities of these devices would lead to implementing security solutions. Therefore, in this
chapter we have gone through the functionality, features, security mechanism, vulnerabilities and
limitation of IoT-specific protocols, since data reliability, integrity and availability rely on the
underlying protocols. The table below presents a summary of IoT protocol vulnerabilities. We
explored Common Vulnerabilities and Exposures (CVE) database for AMQP, MQTT, and XMPP
known vulnerabilities from 2005 to 2018 and mentioned the major vulnerabilities in the table below
[106].
Protocol Vulnerabilities/Limitation Contributor
AMQP Remote code execution due to insufficient encapsulation [96], [97], [106]
Attacker can cause DoS by transmitting “Change Cipher Spec” packet without pre-handshake
Azure IoT SDK spoofing vulnerability due to improper validation of AMQP certificates by Azure IoT devices
According to CVE database [106] AMQP Qpid broker is vulnerable to:
- Crafting malicious code and remote code execution - Attacker can crush the broker instance - Due to lack of enforcing maximum frame size in AMQP frame, an attacker can exhaust memory of the broker and
gradually can terminate as well. - Allows remote attacker to bypass authentication - AMQP type decoder enable attacker to launch DoS attack by sending huge number of zero width messages and
invalid message sequences
Open source nature of AMQP that allows industry to add specific extension. Poor code written by developers also adds vulnerability.
Inherent TCP/IP vulnerabilities
AMQP is vulnerable to replay, masquerade, modification and DoS attacks.
CoAP CoAP challenges with DTLS include:
- Large header of DTLS that do not fit in IEEE 80.2.15.4 MTU,
[91], [90] [89],
- High handshake - Incompatibility with CoAP Proxy mode - Lack of multicast support - Attacker can launch DoS attack by repeatedly sending CoAP request to a border router
MQTT MQTT is vulnerable to:
- DoS - Spoofing identity - Information Disclosure - Elevation of privileges - Tampering data
[95], [93], [106]
Disrupting MQTT broker services can cause DoS
Unsecure broker can cause any threats to IoT
Attackers cause DoS by exhausting MQTT client and broker by sending messages greater than 256 MB which is MQTT’s maximum payload size
Vulnerable to TCP attacks such as TCP SYN flood and bandwidth consumption
Though MQTT relies on SSL/TLS but implementing them on constraint devices is very expensive
According CVE database MQTT is vulnerable to: - User can access sensitive information in Mosquito broker - Remote code execution - Attacker can halt MQTT broker by filling the memory with connection with large payload - DoS attack by crafted MQTT subscribe packet - DoS attack by MQTT crafted authentication data
XMPP Failure of end-to-end encrypted communication
Insecure XMM is vulnerable to:
- Password sniffing - Eavesdropping - Accessing the server via unauthorized entry - Inserting, deleting, replay etc.
[95], [98], [106]
According to CVE database [106] XMPP is vulnerable to:
- Spoofing attacks - DoS attacks due to improper restriction in processing compressed XML - DoS attacks through crafted timestamp value and XML content in XMPP messages - Various kind of social engineering attacks such as impersonating legitimate user - Directory traversal vulnerability - Man-in-the middle attack to bypass TLS protection
6loWPAN 6loWPAN is vulnerable to:
- Fragment duplication attack - Fragment injection - Selectively blocking specific fragment at the target node - Selective forwarding attack - Buffer reservation attack which targets memory of constraint devices - End-to-end and hop-to-hop attack that target radio hops, routing discovery, physical link, jamming, battery
exhaustion, sybil, wormhole, spoofing etc
[100], [101]
802.15.4 Physical layer is vulnerable to jamming and eavesdropping attack due to the broadcast nature of wireless communication [104], [105]
IEEE 802.15.4 is vulnerable to integrity protection, IV management and key management. IV management problem arises from the same key usage in multiple ACL entries.
The confidentiality property of security will break if the same key is used in two different ACL entries
802.15.4 is vulnerable to single-packet denial of service while AES-CRT suite is with replay protection enabled
3.6. Summary
This chapter provided a detailed explanation of IoT challenges from a packet core perspective. The
chapter started by addressing security threats in the mobile network including GSM, UMTS, and
LTE network. Then, it went through security challenges of NB-IoT which was the target of this thesis
and continued by describing the threat enabling the features of IoT. In the last section, it provided a
detailed a study of IoT protocol vulnerabilities.
53
4. Machine Learning for DDoS Detection in the Packet Core Network for
IoT
In the previous chapters, IoT security challenges from a packet core perspective were discussed
where DDoS attacks launched by constrained IoT devices were identified as one of the most
dominant attacks. This chapter explains the machine learning-based method we have proposed for
IoT DDoS detection in the packet core. It also describes the tools and technologies that we have been
used for our experimental setup for generating traffics that mimics DDoS in the packet core network.
Lastly, it introduces the machine learning classifier implementation.
4.1. Method for DDoS Detection
We have followed the experimental research methodology (see section 1.7) which consists of three
phases as shown in Figure 17. This figure shows how we have incorporated this methodology for
DDoS detection. The data collection phase is consisting of traffic generation and capturing them. In
the feature selection phase, the features that indicate DDoS attack in the stored data were selected.
In the machine learning classifier phase, the classification model classifies DDoS and normal traffic
in the dataset. The following section describes the steps in detail. To understand how the propo sed
method detects DDoS attacks, first we need to understand how a packet traverses from IoT devices
to IoT application servers.
54
Figure 17: Experimental Research Methodology.
Generally, in the packet core network, the user packet passes from eNodeB to Serving Gateway
(SGW), from SGW via S5/S8 interface to Packet Gateway (PGW) then from PGW reaching the
application server as shown in Figure 20. However, in NB-IoT the packet passes from eNodeB to
MME, and from S11-U interface of MME the packet is forwarded to SGW and then to the PGW,
and this is called DoNAS (Data over NAS) meaning that in NB-IoT user data is sent over NAS (Non-
Access Stratum). Therefore, to detect DDoS attacks originated by NB-IoT devices, SGW is the first
entry where we can perform deep packet inspection to detect the attacks.
Figure 18: GTP-U Packet illustration.
55
When an IP packet is generated by UE to reach a destination, it will be forwarded to eNodeB, when
eNodeB receives the packet it will place the packet inside another IP packet which is GTP header
that is called inner packet and outer packet as in Figure 18. Then its encapsulated inside IP and UDP
header and transmitted as Ethernet frame to Serving Gateway [107]. To detect DDoS, the inner
packet should be inspected.
To better understand how the user packet traverse in the packet core network let’s assume a scenario
that Alice wants to communicate with Bob in an LTE network as in Figure 19. There is a
10.10.20.0/24 network between eNodeB and SGW and also a 10.10.10.0/24 network between SGW
and PGW. The PGW assigns Alice with a globally routable address of 46.1.78.189 which is getting
translated to 10.40.40.12. When Alice’s packet reaches to eNodeB, eNodeB put it another packet
and forward it to SGW, then SGW forward to PGW, and finally forwarded to Bob [108]. We detect
DDoS in SGW before it reaches to PGW and the target service.
Figure 19: End to End Communication in GPT Tunneling in EPC.
eNodeB
EU
56
NB-IoT uses S11-U interface of MME for data transmission which is an interface for small data
transmission between SGW and MME in CIoT (Cellular IoT) [109]. S11-U uses GPRS tunneling
protocol user plane (GTP-U). GTP-U is used in user plane to transmit user data traffic in GSM,
UMTS, and LTE core networks. GTP is an IP/UDP based protocol and used for user data
encapsulation while passing from the core network. GTP provides mobility for mobile UE by
tunneling between eNodeB, MME, SGW, and PGW. GTP-U’s primary job is per client tunneling of
IP packets, echo requests/replies, and error reporting for path maintenance. GTP has two versions
which are GTPv1-U which is for user plane message transporting data and GTPv2-C which is for
control plane signaling, for example, activating or deactivating EPS (Evolved Packet system).
Normally in GPT tunneling in the core network, both malicious and normal packets look same and
placed inside the GTP packet while the inner packet is not inspected. In order to detect the DDoS
attack, we have to consider GTP user plane (GTPv1-U) to inspect the inner packet. In LTE GTP
tunneling is performed between eNodeB, SGW and PGW and packet traces of UE are illustrated in
detail in Figure 19. Each node assigns different IP to the packet while keeping encapsulated the actual
source/destination IP for the purpose of mobility and security. However, in NB-IoT, GTP tunneling
is performed from MME to SGW and PGW as illustrated in an orange arrow in Figure 20.
Our proposed method as illustrated in Figure 20 capture the packets from SGW and performs deep
packet inspection in SGW to read the inner packet for recognizing malicious packets by extracting
the features that indicate DDoS attacks. Then machine learning classification algorithms can
discriminate between normal and DDoS packets. If the packets are classified as part of normal traffic,
they will be forwarded to SGW to reach the application server through PGW. Otherwise, the packets
will be forwarded to MME represented as red arrow in the figure below, which is the responsible
node to temporarily or permanently block the devices that transmit the packets.
57
Figure 20: Proposed Method for DDoS Detection.
4.2. Experimental Setup
A virtual environment is used to simulate the DDoS attacks source and target. To generate a DDoS
attack and detect it using machine learning technology different tools and packages have been used
which are described below.
58
4.2.1. Data Collection Phase
Data is always required in machine learning to train any algorithm to gain knowledge. There are
datasets available for network traffic classification such as CAIDA [110] dataset that is recorded in
2007. In CAIDA DDoS dataset, the author of the data does not guarantee that non-malicious data has
been completely removed from the dataset. Hence, to use that dataset, we may not get the best result
since there is a possibility of including normal packets as DDoS packets. NSL-KDD [111] is another
dataset widely used by researchers. This dataset contains numerous attacks including six types of
DDoS attack. The data is labeled with attack type and also normal traffic. However, authors have not
mentioned if the data is generated by IoT constrained devices. Therefore, we chose to generate data
based on own our requirement.
To detect DDoS attack using machine learning technology, we needed DDoS and normal network
traffic. We generated DDoS and normal traffic separately and then combined them together.
4.2.1.1. Normal and DDoS Traffic Collection
To generate DDoS traffic, we have used two Kali Linux running on Oracle VirtualBox machines on
a laptop as the source and target of the attack. Both, attack source machine and victim machines are
connected to Wi-Fi. Network traffic is recorded on victim machine using Wireshark. TCP SYN and
UDP flood are generated using hping3 utility tool of Kali Linux [112]. We have run DDoS attack
roughly 1.5 minutes for each of the protocols and captured 800,000 packets.
To collect normal traffic, we have used two constrained IoT devices that regularly interact for around
12 minutes. The first device is Fibaro motion sensors1 which detect temperature, luminance, motion,
and accelerometer[124]. The sensor is connected via a Z-Wave controller to a computer and
integrated with OpenHab2 [113] to link the sensor with the local host and also, confirm on OpenHab
1 https://www.fibaro.com/en/products/motion-sensor/
59
interface that sensor is functioning. This traffic is captured offline on the local host. The second
sensor we have used is the Raspberry Pi Camera Module V2 connected with Raspberry Pi for live
video streaming and face recognition[125]. The camera captured the unrecognized faces and sent the
images to Amazon Web Service Simple Storage Service (AWS-S3) Cloud storage and performed
live streams. The camera was streaming with HD quality to Ubuntu based machine, and the captured
traffic duration is around 4 minutes. Due to variation in the testbed result of the data collected from
these two devices and also time limitation of the thesis, we proceeded our machine learning
experiment with the data set from Aalto University [114]. The researchers at Aalto University has
captured 31 smart home IoT devices traffic, and we have used eight devices captures as our normal
dataset [108]. The total number of observations were approximately 100,000 rows which contain
both normal traffic data and DDoS data.
Figure 21: Fibaro Motion Sensor and Raspberry Pi Camera Module
60
4.2.1.2. Kali Linux
Kali Linux2 is one of the Linux Debian based distribution which is used for digital forensics and
advanced penetration testing. It is an open source and free of cost tool. Its customizable based on the
user’s desire and supports more than 600 penetration testing tools in multiple languages [115]. In
this thesis, Kali Linux is used to generate a DDoS attack using one of its tools described in section
4.2.1.3.
4.2.1.3. hping3
hping33 is pre-installed package on Kali Linux. It is a command-line based packet analyzer. It can
be used for Firewall testing, advanced port scanning, network testing using different Internet
protocols, advanced traceroute, TCP/IP stacks auditing, etc [112]. With hping3 options users can
specify the target server, a number of packets to send to the target, target port, spoofing attack source,
selecting a random source, random destination, flooding to send requests to the target as fast as
possible, protocol types such as TCP, UDP, ICMP and many more options. We have used hping3 to
launch UDP and TCP flood on the server running on another machine.
4.2.1.4. Attack Parameters
To generate a DDoS attack with hping3, the following parameters were used.
• -flood: This command sends packets as fast possible.
• -rand-source: This command spoofs the attack source with random IP address
• -c -count: This command represents packet counts
• -d -data: Using -d we have set the packet size to send to the victim server
2 Kali Linux Home Page: https://www.kali.org/ 3 http://www.hping.org/manpage.html
61
• -S: This command set the SYN flag
• -w -win: using this command we can specify window size which is 64 by default.
• -p -desport: using this command we can specify destination port which is 0 by default
• Target-site: the last destination IP address- the server address to be attacked.
4.2.1.5. Scapy
Scapy4 is a powerful Python-based packet manipulation program. Scapy allows the user to transmit,
forge, dissect and sniff the network packets. It is also used for tracerouting, scanning, attack, probing,
unit testing and network discovery purposes. Using Scapy a user can send invalid frames, inject their
own frames and combine different parts of the packets. Scapy allows the user to specify his own
packet or set of packets, layers and you can set packet field and values based on your requirement
[116]. We have used Scapy to generate GTP-U packet and glow GPT-U packet with the inner packet
that contains the DDoS attack.
4.2.1.6. Apache Server
The Apache HTTP server5 is a cross-platform open source web server which was launched in 1995
since then it is widely used. An open community of developers has developed the Apache and are
maintaining it as well. Apache is pre-installed on Linux distributions. For this thesis, Apache is the
victim server that has been overwhelmed by TCP SYN flood and UDP packets.
4 Scapy Home Page: https://scapy.net/
5 Apache Home Page: https://httpd.apache.org/
62
4.2.1.7. Scikit-Learn
Scikit-learn6 is an open source machine learning tool for Python programming languages. It is an
efficient and simple tool for data mining and data analysis. Scikit-learn contains the implementation
of different algorithms for supervised and unsupervised learning. In addition to classification,
regression and clustering algorithm, this package also contains features for model selection,
dimensionality reduction and data preprocessing
Scikit-learn has extensive use and is being used by different researchers and big industries like
Spotify, booking.com, change.org and IBM Watson to integrate the machine learning module into
their platform. The reason why many industries and researchers are selecting Scikit-learn in their
artificial intelligence and machine learning tool is its ease of use that allows accomplishing plenty of
processes with a collaborative library, open API with proper documentation and free of cost. The
mentioned classes in the table below have been used from Scikit-learn library for classification.
Table 2: Classes used for Classification.
Sr# Classifer Name Scikit-Learn Class
1 KNN neighbors.KNeighborsClassifier
2 Decision Tree tree.DecisionTreeClassifier
3 Naive Bayes naive bayes.GaussianNB
4 Logistic Regression linear_model.LogisticRegression
6 http://scikit-learn.org/stable/
63
4.2.1.8. Python
Python7is a high-level and general-purpose open source programming language. Due to the code
readability philosophy of Python, ease of learning, efficient code and easy communication feature of
Python it has been the favorite programming language for the majority of data scientists. Python has
vibrant scientific libraries and many great environments such as Spyder and Jupyter notebook.
Python Matplotlib library is a powerful 2D-graphic library that helps machine learning scientists in
plotting graphs. Due to these strengths, we have chosen Python languages for machine learning
experiment. Due to these strengths we have chosen Python languages for machine learning
experiment.
4.2.2. Feature Extraction
To distinguish between normal IoT traffic and DDoS IoT traffic, packet features that indicate DDoS
must be selected for machine learning classification. Source IP, destination IP, port, protocol types,
and flags have been used as DDoS recognition features by the majority of DDoS detection systems
in machine learning. According to Pariya et al. [117] review on the wireless sensor network,
throughput and number of collisions are the quantitative metrics that can be used for the evaluation
of DDoS performance and also, in DDoS prevention techniques. We have chosen the below features
to discriminate between normal, and DDoS traffics [118] [69]:
7 https://www.python.org/
64
I. Packet Size: DDoS attack distributes a massive number of packets in the small time stamp,
and these packets are smaller in size and also have fixed size whereas normal packet varies in
size always. Rohan et al. [119] research state that DDoS packet is smaller than 100 bytes while
normal traffic packet is between 100 to 1200 bytes. However, based on the data that we have
collected both as normal and DDoS traffic, DDoS packet size is fixed to 58, 60 and 174 bytes
for TCP SYN attack. The dataset captured by Markus et al. [120], rom 31 smart home of 27
different IoT devices shows that IoT packet size varies from 42 to 1434 bytes. Thus, a sudden
increase in the flow of traffic with constant packet size either smaller or bigger than 100 bytes
represents a DDoS attack.
II. Packet Time Interval: Normal IoT traffic flows in a regular time interval. However, in a DDoS
attack time interval between packets are close to zero since agents send the packet very fast
[119] .
The graph in Figure 23a show that during the TCP SYN attack the packet per second goes up and
down from 70k down to around 13k back and forth. Error! Reference source not found. shows
that usually, a motion sensor sends 700 packets in roughly the same time. Generally, most IoT
devices do not send packets in a very high frequency. Therefore, the inter-packet time interval is an
indicator of an attack.
65
III. Packet Size Variance: Mostly attack traffic packets have the same size while normal traffic
has different packet size even traffic of same file has different size [119]. For example, in our
dataset all TCP attack packets size is 90 bytes. Equation 1 and 2 can be used for packet size
variance as well.
IV. Protocol Type: Attack uses only a few numbers of protocols while normal traffic contains
multiple protocols. We have used only two protocols (TCP and UDP) for attack traffic while
for normal traffic other protocols also exist in the captures as in Figure 24 and 25.
Figure 23 a: TCP SYN Attack.
Figure 23 b: Fibaro Motion Sensor Traffic.
66
V. TCP SYN: In TCP SYN denial of service attack as discussed in Example of Attack, the server
does not receive the client’s ACK response since the attacker’s aim is not to establish
communication but to bind the resources to cause the server unresponsive. Therefore, in TCP
flood SYN and ACK are considered as a feature.
VI. Destination IP: IoT devices communicate with a few numbers of expected destinations, and
they rarely change their destination IP over time. This feature also indicates DDoS attacks. A
single device communication with multiple distinct destinations within a short time stamp
shows an attack. A count of distinct destination within 10 seconds can be used to recognize an
attack [69].
VII. TIED: The GPRS tunneling protocol (GTP) assigns a unique TIED (Tunneling End Point
Identifier) to each GTP user connection in each node. If a single SGW receives a massive
number of requests very frequently from different MME node, it might indicate malicious
behavior.
Figure 24: DDoS Traffic Protocol (Left) and Normal Traffic Protocol (Right).
67
4.2.2.1. Data Pre-Processing Phase
The data were generated and captured as explained in 4.2.1. The raw data recorded in pcap format
is then converted to comma separated vector (CSV) format. Then both malicious data and normal
data is, and the features in 4.2.2 are extracted from the data. All normal traffics were combined in
one file and malicious data are combined in another file.
4.2.3. Classification Method Implementation
This section visualizes the classification algorithm’s implementation. Each of the classification
algorithm is implemented using Scikit-learn library in Python. The algorithms were described in
detail in chapter 2 in section 2.11. Therefore, only the codes can be seen in the figures below in
addition to a brief description in Table 3.
Figure 25: Labelling the data.
68
Table 3: Classifiers Summary.
Classifier Properties
K-Nearest Neighbor • Lazy learner • Can be used for categorical and continuous data • Effective in irregular decision boundary
Decision Tree • Can be used for categorical and continuous data • Classifies using Top-down induction of decision tree
Naïve Bayes • Based on Bayes Theorem • Can be used for categorical and continuous data • Performs well if features are independent
Logistic Regression • Performs well if there is only one decision boundary • Fast and simple • Performs very well when target is not binary
Figure 26: KNN Implementation using Scikit-learn.
69
Figure 27: Decision Tree Implementation using Scikit-learn.
Figure 28: Naive Bayes Implementation using Scikit-learn.
70
Figure 29: Logistic Regression Implementation using Scikit-learn.
4.3. Summary
In this chapter, we explained in detail the preprocessing phase and methodology used for this thesis.
It also described the tools we used for generating DDoS attacks traffics and normal traffics. Then it
follows describing the features that indicate DDoS attacks in the network traffic. Since the
classification algorithms were described in detail in chapter 2, the classification algorithms
implementation is only mentioned here. However, a tabular description of the classifiers is available
in this chapter. The next chapter describes the experiments’ result in detail.
71
5. Results
The previous chapter described the preprocessing phase of our machine learning experiment and this
chapter would describe the results regarding classification algorithms (KNN, Decision Tree, Naïve
Bayes and Logistic Regression) that were used to detect DDoS attacks in a packet core network. The
collected data were trained to predict DDoS using the algorithms, and the performance of each of the
algorithms was evaluated separately, and the results were stored and shown in the tables.
5.1. Methodology
The datasets were generated and collected as described in detail in section 4.2.1. Both normal dataset
and DDoS datasets are labeled, and the required features are extracted. Then the data is converted
into the format which is acceptable for Scikit-learn. Several experiments have been performed to
check the accuracy and performance of the classifier on different data combination and sizes. It
should be noted that our DDoS detection experiment is based on only TCP SYN attack and UDP
protocol attack as a sample since the thesis aim is to provide only a DDoS detection method. The
data is split to train set and test set as follows:
We have followed the below procedure throughout our machine learning based DDoS detection
experiment:
1. Reading the datasets
2. Selecting the features and the target
3. Splitting the dataset into train set and test set
4. Training the model with the classifier
5. Predicting the data coming from test set.
6. Checking accuracy of the classifier predication through 10-fold cross-validation
72
Cross-validation is a technique that is used to evaluate the performance of a predictive model. In
supervised machine learning Scikit-learn performs cross-validation by splitting the available dataset
into trainset and test set and holding out test set (X_test and y_test). However, in k-fold cross-
validation technique, the dataset is portioned to random k equal size dataset. For each k, one of the k
sub-sample is used as test set while the other k-1 sub-samples are used as trainset. Every fold of the
data is tested only once, and then accuracy of the machine learning model is calculated by averaging
the accuracies of all the k-folds.
5.1.1. Experiment 1: Concatenated Normal and DDoS Data
Based on our dataset which is roughly 100,000 observations the classifier predication is as in below
table. The K-Nearest Neighbor and Decision Tree performed very well compare to Logistic
Regression and Naïve Bayes. The result in Table 4 is based on reading the normal data and DDoS
data separately and then concatenating both using concat function. The “Classification Accuracy”
column represents the result of 10-fold cross-validation of the classifiers
Table 4: Classification statistics based on 10-fold cross validation.
Classifier name KNN Decision Tree Logistic Regression Naïve Bayes
Classification Accuracy (%) 99.9304 98.6356 77.4523 80.8854
5.1.2. Experiment 2: Manual Concatenation of DDoS and Normal Data
In the second experiment, we have mixed both normal and DDoS data randomly manually to check
the classification result and the accuracy score. The result is still similar to the classification result
of experiment 1. The “Accuracy” column represents the result of 10-fold cross-validation of the
classifiers.
73
Table 5: Classification accuracy for manual concatenated Data using 10-fold cross validation.
Classifier name KNN Decision Tree Logistic Regression Naïve Bayes
Classification Accuracy (%) 99.9486 98.6356 66.7337 67.2417
5.1.3. Experiment 3: Classification with a Single Attack
In the last experiment, we tried to check how the classifiers can identify DDoS when there is only a
single attack either UDP or TCP attack. The result shows that the classifier performance is almost
the same either if there are multiple attacks or a single attack. In both cases, the classifiers could
discriminate between normal and DDoS packets sufficiently. Table below illustrates the result of
this classification by the classification algorithms, and it shows that KNN and Decision Tree
performs very well classification. The “Accuracy” row represents the result of 10-fold cross-
validation of the classifiers.
Table below illustrates the result of this classification by the classification algorithms, and it shows
that KNN and Decision Tree performs very well classification. The “Accuracy” row represents the
result of 10-fold cross-validation of the classifiers.
Table 6: Classification accuracy for UDP and TCP traffic types using 10-fold cross validation.
Classifier Name KNN Decision Tree Logistic Regression Naïve Bayes
Attack Type TCP UDP TCP UDP TCP UDP TCP UDP
Classification Accuracy (%)
99.886 99.938 90.342 88.258 63.202 63.201 62.524 62.752
74
5.2. Classifiers Performance Evaluation
We have used a confusion matrix to check the accuracy of classification models. Confusion matrix
C is such that C_(i,j)where i is the number of observations that are classified as j. In binary
classification where we have to classify the data into two classes, C_0,0 is the total of true negative,
C_1,0 is the total of false negative, C_1,1 is total of true positive and C_0,1 is total of false positive.
The diagonal values which are TP and TN in a confusion matrix represent the correct prediction of
the classifier, and other values represent the number of wrong predictions. The confusion matrix
shows the actual value and the predicted value as below:
• True Positive: It represents the correct prediction of the classifier. True positive is the total
observations which were DDoS, and the classifier also classified them as DDoS.
• True Negative: It also represents the correct prediction of the classifier. True negative is the
total of observations which were not DDoS, and the classifier also classified it as a normal
packet.
• False Positive: It represents the wrong prediction of the classifier. False positive is the total
observations which were normal packet, but the classifier predicated as a DDoS packet.
• False Negative: It also represents the wrong prediction of the classifier. False negative
represents the total of observations which were DDoS packet, but the classifier predicated as
normal packet.
True Positive (TP) rate which is also called recall is the ratio of successful prediction of DDoS, and
it can be calculated using the following formula:
!"$%&' = )*)*+,- (1)
True Negative (TN) rate can be calculated using the following formula 2:
!.$%&' = )-)*+,* (2)
75
False Positive (FP) rate can be calculated using the following formula:
/"$%&' = ,*)-+,* (3)
False Negative (FN) rate can be calculated by the following formula:
/.$%&' = ,-,-+)* (4)
The overall accuracy of a classifier successful prediction can be calculated by following formula:
01123%14 = )*+)-,-+,*+)*+)- (5)
The confusion matrix accuracy computation for the four classifications varies roughly from 62% to
99% as can be seen in the statistic tables in this chapter. Figure 30 shows how a confusion matrix
displays the prediction result of a classification model.
Figure 30: Confusion Matrix
Precision which is positive predictive value is the ratio of correct prediction of the classifier for
DDoS packets, and it is calculated by the formula below.
"3'156578 = )*,*+)* (6)
F1-score is another method to measure the test’s accuracy in binary classification. The F1-score
consider precision and recall and compute the accuracy score by the following formula:
/1 − 6173' = 2 × =>?@AA×B=>?CDCEF=>?@AA+B=>?CDCEF (7)
76
Table 6 represents the F1-score and the precision score of the four classifiers.
Table 6: Precision and F-Score
Classifier Name KNN Decision Tree Logistic Regression Naïve Bayes
Precision 99.8954 99.9928 77.3216 69.1368
F1-Score 99.9476 99.9928 87.2106 79.4199
77
5.2.1. ROC Curve
The ROC (Receiver Operating Characteristic) curve is an essential graph for diagnostic test
evaluation. It is a explicit representation of correct accuracy. The ROC curve plots the true positive
rate (Sensitivity) against false positive rate(specificity) for the different portion of the test dataset.
Figure 34a: KNN 10-Fold Cross Validation ROC
Curve.
Figure 34b: Decision Tree 10-Fold Cross Validation
ROC Curve.
Figure 34c: Logistic Regression 10-Fold Cross Validation ROC
Curve.
Figure 34d: Naive Bayes 10-Fold Cross Validation
ROC Curve.
78
For every possible data portion or cut-off point, we run the classifier to differentiate between the
two data classes, DDoS data and normal data. Some classifiers such as KNN classify DDoS packets
correctly which is refered as True Positive(TP) (see Figure 35a), while Logistic Regression as well
as Navie Bayes classifies DDoS packets as normal packets which is shown as False Negative (FN)
(see Figure 35c and 35d). On the other hand, DT and KNN performs better as can be seen in figure
35 a and figure 35b where most normal packets are classified correctly which is shown is TN.
Compare to KNN and DT, LR and NB has more number of normal packets classified as DDoS
packets which is shown as False Positive (FP), thereby KNN and DT are performing better. In short,
ROC curve graphically shows the the classification capability of the algorithm based on the given
data set. Each point in the ROC curve shows a decision threshold. The curve that goes closer to the
left upper corner and the top border of the ROC space represents a perfect discrimination test (the
blue curve) as shown in the above figures for each of the classification algorithms. For instance, in
Figure 35d, the blue line which is an indicator of classification between the two sets of the data is
closer to the red line which means the classifier failed to fully differentiate between the two data sets.
As a result the blue line is shown on a grey area which contains both normal and DDoS traffic. The
curve which passes close to the 45-degree diagonal (the red line) indicates the test is less indicate
[121]. Figure 34a to Figure 34d represent the ROC curve of our four classifiers in 10-fold cross-
validation.
Table 7: Schematic Result of ROC Curve.
Test Network Traffic Packets
Negative (Normal) Positive (DDoS)
Negative True Negative False Negative
Positive False Positive True Positive
79
5.2.2. Classifier Comparison
The decision boundary of the classifiers is illustrated in the figure below. In the plots, solid color
indicates training points, and semi-transparent indicates the testing points
Figure 35: Classifiers C
omparison.
80
5.3. Summary
This chapter provided a detailed description of our experimental results. We used different methods
such as a confusion matrix, k-fold cross-validation, ROC curves, F1_score, and precision to evaluate
the performance of the classification models. The result of each of the experiment sand performance
evaluation was described, and the result is shown in tabular form. In the end, we have plotted a
comparison of the four classifiers. The next chapter will describe the conclusion and future work.
81
6. Conclusion and Future Work
6.1. Conclusion
This thesis addresses two main questions described in section 1.6 and also it provides the results that
fulfill the thesis objectives described in section 1.8. In addressing the primary research question, the
task was to look into the IoT security challenges from Core Network perspective. To achieve this
objective, a comprehensive research was carried out on security threats in the mobile network
including GSM, UMTS, LTE, and NB-IoT. Also, a detailed study was carried out on IoT protocol
vulnerabilities that are mainly the threat that the majority of the attackers can exploit to launch an
attack. To address the second research question and achieve the thesis objectives, machine learning
techniques were used to detect DDoS attacks in the packet core network generated by the insecure
IoT devices. Detecting attacks in the packet core network is not the same as detecting attacks at the
source or at the destination side due to the core network GTP tunneling and packet encapsulation.
However, in case of NB-IoT, a sudden increase in receiving packets in a single EPG node from
numbers of different MME nodes might indicate an attack, since NB-IoT devices do not transmit
packets in a very high frequency. Therefore, to detect DDoS attacks, we proposed to perform a deep
packet inspection at EPG node and then through machine learning classifiers detect the attacks as
explained in section 0. Based on our proposal, the normal and DDoS data has been generated
according to the core network scenario as discussed in section 4.2. Then, through a supervised
machine learning technique DDoS detection has been done using four classification algorithms such
as KNN, Decision Tree, Naïve Bayes and Logistic Regression.
To determine the performance of the algorithms, the experiments were conducted against different
dataset sizes, k-fold cross-validation, confusion matrix and ROC curves. The results show KNN
(99.93% accuracy) and Decision Tree (99.31% accuracy) performs with a high accuracy while
Logistic Regression (77.18% accuracy) and Naïve Bayes (74.17% accuracy) with sufficient
accuracy.
82
This thesis focused only on TCP and UDP attacks because these are they are the most widely used
protocols to launch an attack, and also due to lack of time in scope of this thesis. we believe
experimenting and testing with two types of the attacks provides an insight of how to detect all types
of attacks in the core network.
To the best of our knowledge, this is the earliest work carried out to detect IoT based DDoS attacks
in the packet core network through the supervised machine learning technique.
6.2. Future Work
In this thesis work, the aim was to detect DDoS attacks in the core network, and the objective was to
propose a solution that should lead to a concrete implementation in the future. Therefore, a DDoS
detection method in the core network is proposed in detail throughout the thesis, and offline data
were used for all the experiments in training the models and testing the models. For future work, we
would like to recommend testing this method in a real test environment. Secondly, this thesis focused
only on UDP flood and TCP SYN flood. In the future, we would like to include all possible DDoS
attacks in order to protect the IoT services. Lastly, we would like to perform supervised machine
learning DDoS detection using some other algorithms such as Recurrent Neural Network in Google
Tensorflow framework.
83
References
[1] K. K. Patel and S. M. Patel, "Internet of Things-IOT: Definition, Characteristics,
Architecture, Enabling Technologies, Application & Future Challenges," International
Journal of Engineering Science and Computing, vol. 6, no. 5, pp. 6122-6131, 2016.
[2] S. Chen, H. Xu, D. Liu, B. Hu and H. Wang, "A Vision of IoT: Applications, Challenges,
and Opportunities With China Perspective," IEEE INTERNET OF THINGS JOURNAL,
vol. 1, no. 4, pp. 349 - 359, 2014.
[3] I. Lee and K. Lee, "The Internet of Things (IoT): Applications, investments, and challenges
for enterprises," Business Horizons, vol. 58, no. 4, pp. 431-440, 2015.
[4] EY, "Cybersecurity and the Internet of Things," March 2015. [Online]. Available:
http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-
things/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf. [Accessed 1 April 2018].
[5] Ericsson, "Internet of Things forecast," Ericsson, [Online]. Available:
https://www.ericsson.com/en/mobility-report/internet-of-things-forecast. [Accessed 12
March 2018].
[6] H. Oswaldsson, Massive Internet of Things, Ericsson, 2017.
[7] R. Mahmoud, T. Yousuf, F. Aloul and I. Zualkernan, "Internet of things (IoT) security:
Current status, challenges and prospective measures," in 2015 10th International Conference
for Internet Technology and Secured Transactions (ICITST), London, 2015.
[8] Y. H. Hwang, "IoT Security & Privacy: Threats and Challenges," in IoTPTS '15 Proceedings
of the 1st ACM Workshop on IoT Privacy, Trust, and Security, Singapore.
84
[9] M. Chiang and T. Zhang, "Fog and IoT: An Overview of Research Opportunities," IEEE
INTERNET OF THINGS JOURNAL, vol. 3, no. 6, pp. 854-864, 2016.
[10] P. Schulz, M. Matthe, H. Klessig, M. Simsek, G. Fettweis, J. Ansari, S. A. Ashraf, B.
Almeroth, J. Voigt, I. Riedel, A. Puschmann, A. Mitschele-Thiel, M. Muller, T. Elste and
Windisc, "Latency Critical IoT Applications in 5G: Perspective on the Design of Radio
Interface and Network Architecture," IEEE Communications Magazine, vol. 5, no. 2, pp.
70 - 78, 2017.
[11] W. Yang, M. Wang, J. Zhang, J. Zou, M. Hua, T. Xia and X. You, "Narrowband Wireless
Access for Low-Power Massive Internet of Things: A Bandwidth Perspective," IEEE
Wireless Communications, vol. 24, no. 3, pp. 138 - 145, 2017.
[12] M. Bajer, "IoT for smart buildings - long awaited revolution or lean evolution," in 23rd
International Workshop of the European Group for Intelligent Computing in Engineering,
Kraków, 2016.
[13] P. Jianli and Z. Yang, "Cybersecurity Challenges and Opportunities in the New “Edge
Computing+ IoT” World," in International Workshop on Security in Software Defined
Networks & Network Function Virtualization, New York, 2018.
[14] T. Heer, O. Garcia-Morchon, R. Hummen, S. Loong Keoh, S. S. Kumar and K. Wehrle,
"Security Challenges in the IP-based Internet of Things," in Wireless Personal
Communications, 2011.
[15] Arbor, "NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report," 23
January 2018. [Online]. Available:
https://www.arbornetworks.com/report/?utm_source=press_release&utm_medium=press_
release&utm_campaign=WISR13&utm_term=DDoS&utm_content=whitepaper.
[Accessed 1 March 2018].
[16] I. v. d. Elzen and J. v. Heugten, "Techniques for detecting compromised IoT Devices,"
University of Asterdam, Amsterdam, 2017.
85
[17] M. S. University, "Home: Benefits of Green Roofs," Green Roof Research , 12 January
2017. [Online]. Available: http://www.greenroof.hrt.msu.edu/benefits/index.html.
[Accessed 29 March 2018].
[18] K. Ngo Manh, S. Saguna, M. Karan and Ǻ. Christer, "IReHMo: An efficient IoT-based
remote health monitoring system for smart regions," in E-health Networking, Application
& Services (HealthCom), Boston, 2015.
[19] P. Gope and T. Hwang, "BSN-Care: A secure IoT-based modern healthcare system using
body sensor network," IEEE Sensors Journal, vol. 16, no. 5, pp. 1368-1376, 2016.
[20] Z. He, T. Zhang and R. B. Lee, "Machine Learning Based DDoS Attack Detection from
Source Side in Cloud," in IEEE, New York, 2017.
[21] M. Suresh and R. Anitha, "Evaluating machine learning algorithms for detecting DDoS
attacks," in International Conference on Network Security and Applications, Berlin, 2011.
[22] M. Zekri, S. El Kafhali, N. Aboutabit and Y. Saadi, "DDoS attack detection using machine
learning techniques in cloud computing environments," in Cloud Computing Technologies
and Applications (CloudTech), Rabat, 2017.
[23] S. Umarani and D. Sharmila, "Predicting application layer DDoS attacks using machine
learning algorithms," International Journal of Computer, control Quantum and information
Engineering, vol. 8, no. 10, pp. 1912-1917, 2014.
[24] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi and M. Ghogho, "Deep learning
approach for network intrusion detection in software defined networking," in 2016
International Conference on Wireless Networks and Mobile Communications (WINCOM),
Fez, 2016.
[25] B. Ray, "Home: #ASKIOT," IoT News, 9 May 2017. [Online]. Available:
https://www.iotforall.com/what-is-narrowband-iot-nb-iot/. [Accessed 29 March 2018].
86
[26] S. Kavanagh, "Home: 5G Guides," 5G News, 11 January 2018. [Online]. Available:
https://5g.co.uk/guides/what-is-narrowband-iot/. [Accessed 29 March 2018].
[27] F. Ali, A. Nor Badrul, S. Rosli, A. Fairuz, M. Ra’uf Ridzuan and S. Shahaboddin, "A study
of machine learning classifiers for anomaly-based mobile botnet detection," Malaysian
Journal of Computer Science, vol. 26, no. 4, pp. 251-265, 2013.
[28] D. Watt, "Security & Vulnerability in electric power systems," in 35th North American
Power Symposium, Missouri, 2003.
[29] Wikipedia, "Volnerability," Information , [Online]. Available:
https://en.wikipedia.org/wiki/Vulnerability_(computing). [Accessed 27 April 2018].
[30] S. Babar, P. Mahalle, A. Stango, N. Prasad and R. Prasad, "Proposed security model and
threat taxonomy for the Internet of Things (IoT)," in International Conference on Network
Security and Applications, Berlin, 2010.
[31] M. A. a. G. M. Køien, "Cyber Security and the Internet of Things:Vulnerabilities, Threats,
Intruders and Attacks," Journal of Cyber Security and Mobility , vol. 4, no. 1, pp. 65-88,
2015.
[32] R. Sultan and S. Abbas, "Web Services Threats, Vulnerabilities and Countermeasures,"
Internation Journal of Advanced Research in Computer Sceince and Management Studies,
vol. 3, no. 3, pp. 243-252, 2015.
[33] Wikipedia, "wiki," [Online]. Available: https://en.wikipedia.org/wiki/Denial-of-
service_attack. [Accessed 13 March 2018].
[34] V. Matta, M. D. Mauro and M. Longo, "DDoS attacks with randomized traffic innovation:
botnet identification challenges and strategies," IEEE Transactions on Information
Forensics and Security, vol. 2017, no. 8, pp. 1844-1859, 2017.
87
[35] T. Booth and K. Andersson, "Network Security of Internet Services: Eliminate DDoS
Reflection Amplification Attacks," Journal of Internet Services and Information Security
(JISIS), vol. 5, no. 3, pp. 58-79, 2015.
[36] L. Xiao, X. Wan, l. Xiaozhen, Z. Yanyong and DiWu, "IoT Security Techniques Based on
Machine Learning," arXiv preprint arXiv:1801.06275, vol. 1, no. 1, pp. 1-20, 2018.
[37] I. a. v. H. J. Van der Elzen, "Techniques for detecting compromised IoT devices," University
of Amesterdam, Amesterdam, 2017.
[38] S. Edwards and I. Profetis, "Analysis of a decentralized internet worm for IoT devices,"
Rapidity Networks, vol. 16, pp. 1-18, 2016.
[39] J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the source," in 10th IEEE
International Conference on, 2002.
[40] T. M. Gil and M. Poletto, "MULTOPS: A Data-Structure for Bandwidth Attack Detection,"
in {Proceedings of the 10th conference on USENIX Security Symposium, Washington,
2001.
[41] I. CS3, "MANANET®," Comprehensive DDoS Defense Solutions, [Online]. Available:
http://cs3-inc.com/MANAnet.html. [Accessed 8 March 2018].
[42] S. Seufert and D. O'Brien, "Machine learning for automatic defence against distributed
denial of service attacks," in IEEE International Conference on, Glasgow, 2007.
[43] Bediako and K. Peter, Long Short-Term Memory Recurrent Neural Network for detecting
DDoS flooding attacks within TensorFlow Implementation framework, 2017: LTU.
[44] E. Alomari, S. Manickam, B. Gupta, S. Karuppayah and R. Alfaris, "Botnet-based
distributed denial of service (DDoS) attacks on web servers: classification and art,"
International Journal of Computer Applications , vol. 49, no. 7, pp. 24-32, 2012.
88
[45] Incapsula.com, "DDoS," DDoS Protection, [Online]. Available:
https://www.incapsula.com/ddos/ddos-attacks/. [Accessed 14 March 2018].
[46] CARPEC, "CARPEC List," Identifying and Understanding Attacks, [Online]. Available:
https://capec.mitre.org. [Accessed 14 March 2018].
[47] M. Hyvärinen, "Detection of Distributed Denial-of-Service Attacks in Encrypted Network
Traffic," University of Jyväskylä, Jyväskylä, 2016.
[48] W. FuiFui and X. T. Cheng, "A survey of trends in massive DDoS attacks and cloud-based
mitigations," International Journal of Network Security & Its Applications, vol. 6, no. 3, p.
57, 2014.
[49] L. Feinstein, D. Schnackenberg , R. Balupari and D. Kindred, "Statistical Approaches to
DDoS Attack Detection and Response," in IEEE , 2003.
[50] R. Braga, E. Mota and A. Passito, "Lightweight DDoS Flooding Attack Detection Using
NOX/OpenFlow," in 35th Annual IEEE Conference on Local Computer Networks LCN,,
Colorado, Denver, 2010.
[51] M. H. Bhuyan, D. Bhattacharyya and J. Kalita, "An empirical evaluation of information
metrics for low-rate and high-rate DDoS attack detection," ELSEVIER-Pattern Recognition
Letters , no. 51, pp. 1-7, 2015.
[52] S. M. Mousavi and M. St-Hilaire, "Early Detection of DDoS Attacks against SDN
Controllers," in 2015 International Conference on Computing, Networking and
Communications, Communications and Information Security Symposium, 2015.
[53] J. N. Bakker, "Intelligent Traffic Classification for Detecting DDoS Attacks using
SDN/OpenFlow," Victoria University of Wellington, Wellington, 2017.
[54] D. Sarang, K. Praveen, S. Todd and L. John, "Deep packet inspection using parallel bloom
filters," IEEE Computer Society, vol. 24, no. 1, pp. 52 - 61, 2004.
89
[55] K. Sailesh, D. Sarang, Y. Fang, C. Patrick and T. Jonathan, "Algorithms to Accelerate
Multiple Regular Expressions Matching for Deep Packet Inspection," ACM SIGCOMM
Computer Communication Review, vol. 36, no. 4, pp. 339-350, 2006.
[56] V. Maini, "Machine Learning for Human," 19 August 2017. [Online]. Available:
https://medium.com/machine-learning-for-humans/reinforcement-learning-6eacf258b265.
[Accessed 14 March 2018].
[57] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi and M. Ghogho, "Deep learning
approach for network intrusion detection in software defined networking," in IEEE, Fez,
2016.
[58] D. Adeniyi, Z. Wei and Y. Yongquan, "Automated web usage data mining and
recommendation system using K-Nearest Neighbor (KNN) classification method," Applied
Computing and Informatics (2016), vol. 12, no. 1, pp. 90-108, 2016.
[59] K. Zakka, "k-nearest neighbor," 13 July 2016. [Online]. Available:
https://kevinzakka.github.io/2016/07/13/k-nearest-neighbor/. [Accessed 2 May 2018].
[60] F. Tian, X. Cheng, G. Meng and Y. Xu, "Research on Flight Phase Division Based on
Decision Tree Classifier," in Computational Intelligence and Applications (ICCIA), 2017
2nd IEEE International Conference on, Bejing, 2017.
[61] Y.-C. Wu, H.-R. Tseng, W. Yang and . R.-H. Jan, "DDoS detection and traceback with
decision tree and grey relational analysis," International Journal of Ad Hoc and Ubiquitous
Computing, vol. 7, no. 2, pp. 212-136, 2011.
[62] T. R. Patil and S. S. Sherekar, "Performance Analysis of Naive Bayes and J48 Classification
Algorithm for Data Classification," International Journal Of Computer Science And
Applications, vol. 6, no. 2, pp. 256-261, 2013.
90
[63] A. S. Tejaswinee and J. R. Prasad, "IoT based Animal Health Monitoring with Naive Bayes
Classification," International Journal on Emerging Trends in Technology, vol. 1, no. 2,
2017.
[64] P. T. Sony, R. Vita and T. R. Agnes, "Comparison Performance Between Rare Event
Weighted Logistic Regression And Truncated Regularized Prior Correction On Modelling
Imbalanced Welfare Classification In Bali," in International Conference on Information and
Communications Technology, 2018.
[65] P. Kamboj, V. K. Trivedi and V. K. Singh, "Detection techniques of DDoS attacks: A
survey," in 2017 4th IEEE Uttar Pradesh Section International Conference on Electrical,
Computer and Electronics (UPCON), Mathura, 2017.
[66] J. C. J. Z. Q. L. X. T. Y. Guo, "A DDoS Detection Method for Socially Aware Networking
Based on Forecasting Fusion Feature Sequence," The Computer Journal, vol. 61, no. 7, pp.
1-12, 24 March 2018.
[67] S. Seufert and D. O'BRIEN, "Machine learning for automatic defence against distributed
denial of service attacks," in IEEE International Conference on Communication, Glasgow,
2007.
[68] Bediako and P. Ken, Long Short-Term Memory Recurrent Neural Network for detecting
DDoS flooding attacks within TensorFlow Implementation framework, Lulea: LTU, 2017.
[69] R. Doshi, N. Apthorpe and N. Feamster, "Computer Science > Cryptography and security,"
Library, 11 April 2018. [Online]. Available: https://arxiv.org/pdf/1804.04159.pdf.
[Accessed 20 April 2018].
[70] A. Feizollah, N. B. Anuar, R. Salleh, F. Amalina, R. R. Ma’arof and S. Shamshirband,
"STUDY OF MACHINE LEARNING CLASSIFIERS FOR ANOMALY-BASED
MOBILE BOTNET," Malaysian Journal of Computer Science, vol. 26, no. 4, pp. 251-265,
2013.
91
[71] N. Artiza, "Resources," [Online]. Available:
http://www.artizanetworks.com/resources/tutorials/fuc.html. [Accessed 27 April 2018].
[72] F. Firmin, "Technologies," The Mobile Broadband Standard, [Online]. Available:
http://www.3gpp.org/technologies/keywords-acronyms/100-the-evolved-packet-core.
[Accessed 27 April 2018].
[73] D. Flore, "Workshop," 2009. [Online]. Available: ftp://www.3gpp.org/workshop/2009-12-
17_ITU-R_IMT-Adv_eval/docs/pdf/REV-
090005%20LTE%20RAN%20Architecture%20aspects.pdf. [Accessed 27 April 2018].
[74] M. Commerce, "Home Subscriber Server (HSS)," Market and Technology Research, 12
July 2012. [Online]. Available: https://blog.mindcommerce.com/2012/07/12/home-
subscriber-server-hss/. [Accessed 3 May 2018].
[75] M. Toorani and A. Beheshti, "Solutions to the GSM Security Weaknesses," in 2008 The
Second International Conference on Next Generation Mobile Applications, Services, and
Technologies, Kardiff, 2008.
[76] C. Xenakis and L. Merakos, "Security in 3rd Generation Mobile Networks," Computer
Communication, vol. 27, no. 7, pp. 638-650, 2004.
[77] A. N. Bikos and N. Sklavos, "LTE/SAE Security Issues on 4G Wireless Networks," IEEE
Security and privacy, vol. 11, no. 2, pp. 55-62, 2012.
[78] M. Lichtman, R. P. Jover and M. Labib, "LTE/LTE-A Jamming, Spoofing, and
Sniffing:Threat Assessment and Mitigation," IEEE Coomunication Magazine, vol. 54, no.
4, pp. 54-61, 2016.
[79] Y. Park and T. Park, "A Survey of Security Threats on 4G Networks," in Globecom
Workshops, Washington DC, 2007.
92
[80] Wikipedia, "Narrowband IoT," Information, [Online]. Available:
https://en.wikipedia.org/wiki/Narrowband_IoT. [Accessed 3 May 20018].
[81] "What is Narrowband-IoT? 5 Benefits to IoT Devices," M2M Atena, 17 July 2017. [Online].
Available: http://blog.antenova-m2m.com/what-is-narrowband-iot-5-benefits-to-iot-
devices. [Accessed 3 May 2018].
[82] Y. D. Beyene, R. Jantti , K. Ruttik and S. Iraji, "On the Performance of Narrow-Band
Internet of Things (NB-IoT)," in Wireless Communications and Networking Conference
(WCNC),, San Francisco, 2017.
[83] N. Mangalvedhe, R. Ratasuk and A. Ghosh, "NB-IoT deployment study for low power wide
area cellular IoT," in 2016 IEEE 27th Annual International Symposium on Personal, Indoor,
and Mobile Radio Communications (PIMRC), Valencia, 2016.
[84] . C. Yu , L. Yu, Y. Wu, Y. He and Q. Lu, "Uplink Scheduling and Link Adaptation for
Narrowband Internet of Things Systems," IEEE Access, vol. 5, pp. 1724 - 1734, 2017.
[85] W. Zhou, Y. Zhang and P. Liu, "The Effect of IoT New Features on Security and Privacy:
New Threats, Existing Solutions, and Challenges Yet to Be Solved," eprint
arXiv:1802.03110, vol. 1, no. 1, pp. 1-11, 2018.
[86] B. Copos, K. Levitt, M. Bishop and J. Rowe, "Is Anybody Home? Inferring Activity From
Smart Home Network Traffic," in In Security and Privacy Workshops (SPW), San Jose,
2016.
[87] J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel,
I. Verbauwhede and F. Piessens, "Sancus: Low-cost Trustworthy Extensible Networked
Devices with a Zero-software Trusted Computing Base," in USENIX Security Symposium,
2013.
93
[88] M. B. Tamboli and D. Dambawade, "Secure and efficient CoAP based authentication and
access control for Internet of Things (IoT)," in IEEE International Conference On Recent
Trends In Electronics Information Communication Technology, Bangalore, 2016.
[89] R. Abdul Rahman and B. Shah, "Security analysis of IoT protocols: A focus in CoAP," in
2016 3rd MEC International Conference on Big Data and Smart City, Muscat, 2016.
[90] M. Brachmann, O. Garcia-Morchon and M. Kirsche, "Security for Practical CoAP
Applications: Issues and Solution Approaches," GI/ITG KuVS Fachgesprch Sensornetze
(FGSN). Universitt Stuttgart, 2011.
[91] R. d. J. Martins, V. G. Schaurich, L. A. D. Knob, J. A. Wickboldt, A. S. Filho, L. Z.
Granville and M. Pias, "Performance Analysis of 6LoWPAN and CoAP for Secure
Communications in Smart Homes," in IEEE 30th International Conference on Advanced
Information Networking and Applications (AINA), Crans-Montana, 2016.
[92] . A. Al-Fuqaha, M. Guizani, . M. Mohammadi, M. Aledhari and M. Ayyash, "Internet of
Things: A Survey on Enabling Technologies, Protocols, and Applications," IEEE
Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2347-2376, 2015.
[93] A. M. Ahmad W. Atamli, "Threat-based security analysis for the internet of things," in 2014
International Workshop on Secure Internet of Things (SIoT), 2014.
[94] S. N. Firdous, Z. Baig, C. Valli and A. Ibrahim, "Modelling and Evaluation of Malicious
Attacks against the IoT MQTT Protocol," in 2017 IEEE International Conference on
Internet of Things (iThings) and IEEE Green Computing and Communications
(GreenCom)and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart
Data (SmartData), 2017, Exeter.
[95] L. Nastase, "Security in the Internet of Things: A Survey on Application Layer Protocol,"
in 2017 21st International Conference on Control Systems and Computer Science,
Bucharest, 2017.
94
[96] N. Naik, "Choice of Effective Messaging Protocols for IoT Systems: MQTT, CoAP, AMQP
and HTTP," in Systems Engineering Symposium (ISSE), 2017 IEEE International, Vienna,
2017.
[97] I. N. McAteer, M. I. Malik, Z. Baig and P. Hannay, "Security vulnerabilities and cyber threat
analysis of the AMQP Protocol for the internet of things," in Australian Information
Security Managemenr Confernce, Nukuhetulu, 2017.
[98] J. A. R. Ramírez, E. M. Franco and D. T. Varela, "Fuzzification of facial movements to
generate human-machine interfaces in order to control robots by XMPP internet Protocol,"
in MATEC Web of Conferences, 2017.
[99] A. Lahmadi, C. Brandin and O. Festor, "A Testing Framework for Discovering
Vulnerabilities in 6LoWPAN Networks," in Distributed Computing in Sensor Systems
(DCOSS), Hangzhou, 2012.
[100] . R. Hummen, J. Hiller, H. Wirtz , M. Henze, H. Shafagh and K. Wehrle, "6LoWPAN
Fragmentation Attacks and Mitigation Mechanisms," in Security and privacy in wireless
and mobile networks, Budapest, 2013.
[101] G. Glissa and A. Meddeb, "6LoWPAN multi-layered security protocol based on IEEE
802.15.4 security features," in Wireless Communications and Mobile Computing
Conference (IWCMC), Valencia, 2017.
[102] A. K. Nain, J. Bandaru, M. A. Zubair and R. Pachamuthu, "A Secure Phase-Encrypted IEEE
802.15.4 Transceiver Design," IEEE Transactions on Computers, vol. 66, no. 8, pp. 1421-
1427, 2017.
[103] P. R. Ajay Kumar Nain, "A reliable covert channel over IEEE 802.15.4 using
steganography," in Internet of Things (WF-IoT), 2016 IEEE 3rd World Forum on, Reston,
VA, 2016.
95
[104] Y. Zou, J. Zhu, X. Wang and L. Hanzo, "A Survey on Wireless Security: Technical
Challenges, Recent Advances, and Future Trends," Proceedings of the IEEE, vol. 104, no.
9, pp. 1727-1765, 2016.
[105] N. Sastry and D. Wagner, "Security considerations for IEEE 802.15.4 networks," in In
Proceedings of the 3rd ACM workshop on Wireless security, Philidelphia, PA, 2004.
[106] CVE, "HOME : CVE LIST," cybersecurity vulnerabilities, [Online]. Available:
https://cve.mitre.org/. [Accessed 7 June 2018].
[107] M. Sapra, "Engineering," Presentation, inforgraphic and documents, 26 May 2016. [Online].
Available: https://www.slideshare.net/manish_sapra/lte-default-and-dedicated-bearer-
volte. [Accessed 17 April 2018].
[108] Aliirfan04, "Technology," Presentation, Inforgraphic, Documents, 26 April 2017. [Online].
Available: https://www.slideshare.net/aliirfan04/gtp-overview. [Accessed 17 April 2018].
[109] Cisco, "Home/Support/Product Support/Wireless/Cisco ASR 5000 Series/Configuration
Guides," Network Hardware and Software, 6 September 2017. [Online]. Available:
https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-3_N5-
5/Ultra_IoT_CSGN/21-3-Ultra-IoT-CSGN-Guide/21-3-Ultra-IoT-CSGN-
Guide_chapter_01.html. [Accessed 17 April 2018].
[110] CAIDA, "data: passive," Center for Applied Internet data analysis , 4 August 2007.
[Online]. Available: https://www.caida.org/data/passive/ddos-20070804_dataset.xml.
[Accessed 23 April 2018].
[111] C. I. o. Cybersecurity, "datasets," Cybersecurity , 12 June 2009. [Online]. Available:
http://www.unb.ca/cic/datasets/nsl.html. [Accessed 23 April 2018].
[112] K. org, "Information Gathering," 18 February 2014. [Online]. Available:
https://tools.kali.org/information-gathering/hping3. [Accessed 22 April 2018].
96
[113] OpenHAB, "Home/downloads," OpenHab, [Online]. Available:
https://www.openhab.org/downloads.html. [Accessed 25 April 2018].
[114] M. Miettinen, S. Marchal , I. Hafeez, N. Asokan, A.-R. Sadeghi and S. Tarkoma, "IoT
Sentinel: Automated Device-Type Identification for Security Enforcement in IoT," in 37th
IEEE International Conference on Distributed Computing Systems, Atlanta, 2017.
[115] K. Linux, "Introduction," Information Security Testing Tool, 13 March 2013. [Online].
Available: https://docs.kali.org/introduction/what-is-kali-linux. [Accessed 25 April 2018].
[116] P. Biond, "scapy," 2008. [Online]. Available:
https://phaethon.github.io/scapy/api/introduction.html. [Accessed 25 April 2018].
[117] P. Pandey, M. Jain and R. Pachouri, "DDOS ATTACK ON WIRELESS SENSOR
NETWORK: A REVIEW," International Journal of Advanced Research in Computer
Science, vol. 8, no. 9, pp. 227-229, 2017.
[118] T. T. Oo and T. Phyu, "Analysis of DDoS Detection System based on Anomaly Detection
System," in International Conference on Advances in Engineering and Technology
(ICAET'2014), Singapore, 2014.
[119] R. Doshi, N. Apthorp and N. Feamster, "Machine Learning DDoS Detection for Consumer
Internet of Things Devices," in 2018 Workshop on Deep Learning and Security (DLS '18),
Harvard, 2018.
[120] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.-R. Sadeghi and S. Tarkoma, "IoT
Sentinel: Automated Device-Type Identification for Security Enforcement in IoT," in
International Conference on Distributed Computing Systems, Atlanta, 2017.
[121] G. C. M H Zweig, "Zweig, M. H., & Campbell, G. (1993). Receiver-operating characteristic
(ROC) plots: a fundamental evaluation tool in clinical medicine," The American
Association for Clinical Chemistry, vol. 39, no. 4, pp. 561-577, 1993.
97
[122] K. Rawlinson, "HP News," Computer, 29 July 2014. [Online]. Available:
http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676#.WsARNtNuZQI.
[Accessed 1 April 2018].
[123] Scikit-Learn, "Home," Machine Learning Tool, 2007. [Online]. Available: http://scikit-
learn.org/stable/index.html. [Accessed 23 April 2018].
[124] Fibaro, "Product," Sensors, [Online]. Available:
https://www.fibaro.com/en/products/motion-sensor/. [Accessed 25 April 2018].
[125] R. Pi, "Product," Hardware, 12 April 2016. [Online]. Available:
https://www.raspberrypi.org/products/camera-module-v2/. [Accessed 25 April 2018].
[126] H. Zhang, J. Li, B. Wen, Y. Xun and J. Liu, "Connecting Intelligent Things in Smart
Hospitals using NB-IoT," IEEE Internet of Things Journal, 2018.
[127] S. Babar, P. Mahalle, A. Stango, N. Prasad and R. Prasad, "Proposed security model and
threat taxonomy for the Internet of Things (IoT)," in International Conference on Network
Security and Applications, Berlin, 2010.
[128] I. van der Elzen and J. van Heugten, "Techniques for detecting compromised IoT devices,"
University of Amsterdam, 2017.
