Ivycide: Smart Intrusion Detection System Against E-IoT Driver Threats

Abstract

The rise of Internet of Things (IoT) devices has led to the proliferation of smart environments worldwide. Although commodity IoT devices are employed by ordinary end-users, complex environments such as smart buildings, government, or private offices, or conference rooms require customized and highly reliable IoT solutions. Enterprise Internet of Things (E-IoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors As E-IoT systems require specialized training, closedsource software, and proprietary equipment to deploy. In effect, E-IoT systems present an unprecedented, under-researched, and unexplored threat vector for an attacker. In this work, we focus on E-IoT drivers, software modules used to integrate devices into E-IoT systems, as an attack mechanism. We first present PoisonIvy, a series of generalized proof-of-concept attacks used to demonstrate that an attacker can use a malicious driver to perform denial-of-service attacks, gain remote control, and abuse E-IoT system resources. To defend against E-IoT driverbased threats, we introduce IVYCIDE, a novel intrusion detection system used to detect unexpected E-IoT network traffic from an E-IoT system. IVYCIDE operates as a passive monitoring system within an E-IoT system using machine learning and signature-based classification to detect POISONIVY attacks. We evaluated the performance of IVYCIDE in a realistic E-IoT deployment. Our detailed evaluation results show that IVYCIDE achieves an average accuracy of 97% in classifying the type of POISONIVY attack and operates without modifications or operational overhead to existing E-IoT systems.