A Measurement Approach for Inline Intrusion Detection of Heartbleed-Like Attacks in IoT Frameworks

Abstract

Cyber security is one of the most crucial aspects of the Internet of Things (IoT). Among the possible threats, great interest is today paid toward the possible capturing of information caused by external attacks on both client and server sides. Whatever the IoT application, the involved nodes are exposed to cyberattacks mainly through the vulnerability of either the sensor nodes themselves (if they have the capabilities for networking operativity) or the IoT gateways, which are the devices able to create the link between the local nodes of the IoT network, and the wide area networks. Due to the low-cost constraints typical of many IoT applications, the IoT sensor nodes and IoT gateways are often developed on low-performance processing units, in many cases customized for the specific application, and thus not easy to update against new cyber threats that are continuously identified. In the framework of cyberattacks aimed at capturing sensitive information, one of the most known was the heartbleed, which, has allowed attackers to remotely read protected memory from an estimated 24%–55% of popular HTTPS sites. To overcome such a problem, which was due to a bug of the OpenSSL, a suitable patch was quickly released, thus allowing to avoid the problem in most of the cases. However, IoT devices may require more advanced mitigation techniques, because they are sometimes unable to be patched for several practical reasons. In this scenario, the article proposes a novel measurement method for inline detecting intrusions due to heartbleed and heartbleed-like attacks. The proposed solution is based on an effective rule which does not require decoding the payload and that can be implemented on a low-performance general-purpose processing unit. Therefore, it can be straightforwardly implemented and included in either IoT sensor nodes or IoT gateways. The realized system has been tested and validated on a number of experiments carried out on a real network, showing performance comparable (in some cases better) with the heavier machine learning-based methods.