Manufacturer Usage Description Research Articles

An Architecture of Enhanced Profiling Assurance for IoT Networks

Attacks launched from IoT networks can cause significant damage to critical network systems and services. IoT networks may contain a large volume of devices. Protecting these devices from being abused to launch traffic amplification attacks is critical. The manufacturer usage description (MUD) architecture uses pre-defined stateless access control rules to allow or block specific network traffic without stateful communication inspection. This can lead to false negative filtering of malicious traffic, as the MUD architecture does not include the monitoring of communication states to determine which connections to allow through. This study presents a novel solution, the enhanced profiling assurance (EPA) architecture. It incorporates both stateless and stateful communication inspection, a unique approach that enhances the detection effectiveness of the MUD architecture. EPA contains layered intrusion detection and prevention systems to monitor stateful and stateless communication. It adopts three-way decision theory with three outcomes: allow, deny, and uncertain. Packets that are marked as uncertain must be continuously monitored to determine access permission. Our analysis, conducted with two network scenarios, demonstrates the superiority of the EPA over the MUD architecture in detecting malicious activities.

Integrating the manufacturer usage description standard in the modelling of cyber–physical systems

The continuous growth of cyber–physical systems (CPS) attacks, especially due to the conflict in Ukraine, has highlighted the need for cybersecurity management mechanisms, due to the catastrophic consequences that a failure or attack on critical infrastructures such as power plants. Indeed, Gartner predicts that by 2025, 30% of critical infrastructures will suffer a cyberattack. In this context, defining the expected behaviour of the system is key to detecting and mitigating possible vulnerabilities both in the design and runtime phases. Modelling emerges as a tool that facilitates the analysis of the security offered by the system even before the system is implemented, allowing an early risk analysis. However, creating such a model is usually challenging due to its intrinsic complexity, or the reconfiguration needed after a security assessment due to a new vulnerability. The situation gets even worse when the system is a complex CPS-of-Systems, where different Constituent Systems (CS) are interconnected since cascade effects and dependencies are stronger and we might not have all the information from the third-party CS. Also, the results of the evaluation are typically used only during the design phase, thus missing out on potential security policies and mitigations that could be used during the system operation. In this sense, the Manufacturer Usage Description (MUD) allows the manufacturer to define access control policies that reduce the attack surface of a device. However, the limited expressiveness of this standard reduces the possibilities of its application in systems with more complex policies beyond the network level. We propose the usage of the MUD standard as a source of information for CPS modelling, providing information on interactions about third-party components of the system. In addition, we define an extended MUD model that deals with the expressiveness problems of the MUD and allows to automatically generate a behavioural profile that integrates the recommendations obtained from the assessment and modelling processes. The extended MUD could be used during runtime to reduce the attack surface of the system, enforce security configuration or even discern if a component is secure enough to be part of the ecosystem. Our approach has been validated in a real use case in the context of smart grid, to show its applicability.

MUD enabled deep learning framework for anomaly detection in IoT integrated smart building

Nowadays, many Internet of Things (IoT) devices of different types are used in creating smart applications like smart cities, smart industries, smart environments, and the applications of industry-4.0. IoT devices are used for different purposes, such as security, remote monitoring, resource allocation, threats, ecosystems, and vulnerabilities. This paper proposed a deep learning algorithm-based solution to tighten the security level in the IoT-Smart environment network. The Intrusion Detection System (IDS) considered in this paper is Network IDS, which investigates the manufacturer usage description, digital twins, and deep learning-based user behavior information. IoT devices' communication and the users in smart buildings are automatically connected in the Intelligent Communication system. Since many devices and users are interconnected in smart buildings, the probability of cyber-attack is high. Thus, better security is needed in smart buildings and smart environments. It should focus on securing IoT devices, users, and their communication. Hence, this paper developed a deep learning-based anomaly detection framework to dynamically monitor the issues and problems with MUD profiles and detect the anomaly behavior. The Manufacturer Usage Description (MUD) profiles, dynamic user behavior, IoT devices' traffic data the pattern of abnormal/anomaly traffic at the device level is predicted while traffic occurs. The MUD-ML-based model is implemented in Python software, verifying the results.

Integrating the Manufacturer Usage Description Standard in The Modelling of Cyber-Physical Systems

Integrating the Manufacturer Usage Description Standard in The Modelling of Cyber-Physical Systems

Combining Device Behavioral Models and Building Schema for Cybersecurity of Large-Scale IoT Infrastructure

Modern buildings are increasingly getting connected by adopting a range of IoT devices and applications from video surveillance and lighting to people counting and access control. It has been shown that rich connectivity can make building networks more exposed to cyberattacks and, hence, difficult to manage. Currently, there is no systematic approach for evaluating or enforcing cybersecurity of building systems with a large number of heterogeneous IoT devices. In this article, we aim to enhance cybersecurity of a large-scale IoT infrastructure by formally capturing the expected behavior of the system using the static profile of devices’ intended usage, buildings information, and network configurations (predeployment) along with dynamic diagnosis (post-deployment) of network activity using machine-learning models. Our contributions are threefold: 1) we develop a tool that automatically generates a formal ontology of network communications for a connected infrastructure by taking a description of buildings (in the form of Brick schema), device network behavior (in the form of manufacturer usage description (MUD) specifications, MUD profile), and network configurations (address, port, and VLAN) as inputs. We contribute our tool as opensource, and apply it to a subset of our university smart campus testbed, covering 20 IoT devices of three types deployed in seven different buildings. We translate the formal model into network flow rules and enforce them to the network at runtime using programmable networking techniques; 2) we, then, measure the network activity of device-specific flow rules and diagnose their health using a set of trained anomaly detection models (one-class classifiers) each corresponding to a particular type of device and specific building location, and demonstrate how our method detects attacks with reasonable accuracy of 92.5%; and (3) finally, we demonstrate three types of location-defined network policies (deployment, administrative, and organizational) that can be verified by this formal model.

DNSguard: A Raspberry Pi-Based DDoS Mitigation on DNS Server in IoT Networks

IoT development has increased the likelihood of several security attacks, such as Mirai, VPNFilter, and DNS (Domain Name System) flooding attacks. The DNS is a censorious component of smart home IoT infrastructure, a soft target for adversaries to launch DNS flooding attacks and impact poor QoS. This letter proposes DNSguard, a MUD-enabled two-level DNS flooding attack mitigation framework for IoT networks. DNSguard authenticates the behavioral profiles of Manufacturer Usage Description (MUD) compliant IoT devices and monitors traffic to detect and mitigate DNS flooding attacks at the local DNS server. The solution has been implemented using online DNS traffic in Raspberry Pi, and quantified response time decreased to 67.2%.

Federated Cyberattack Detection for Internet of Things-Enabled Smart Cities

While attack detection is key to realize trustworthy smart cities, the use of large amounts of network traffic data by machine learning techniques can lead to privacy issues for citizens. To face this issue, we propose a federated learning approach in the context of Internet of Things-enabled smart cities integrating the Threat and Manufacturer Usage Description files as a prevention/mitigation approach.

Software-Defined Security-by-Contract for Blockchain-Enabled MUD-Aware Industrial IoT Edge Networks

To ensure the proper functioning and performance of Industrial grade Internet of Things devices (IIoT) in Industry 4.0 networks, it is critical to identify the capabilities and malfunctions of their component devices (e.g., sensors, actuators, and controllers) and detect potential misbehavior arising due to cyber-attacks, and misconfiguration. We envision future IoT devices embed behavioral profiles through <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Security-by-Contract</i> (S×C) that are easy to validate and verify against network security policies; manufacturers to provide manufacturer usage description (MUD) profiles as a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">manifest</i> for the devices to signal to the network what sort of access and network functionality they require to properly function. We design authentication in the IoT onboarding process, employ blockchains to a verifiable and immutable repository to store this network manifests, that is signed and verifiable with S×C based <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">smart contracts</i> by the device manufacturer, or industry authority. The integrated framework combines blockchains and S×C security contracts, MUD-based behavioral fingerprinting, and software-defined-networking for managing the security of IIoT ecosystems. Finally, the proposed scheme is validated in a simulated IoT environment on various performance parameters.

Using manufacturer usage descriptions for IoT network security: An experimental investigation of smart home network devices

The Internet of Things (IoT) has shown significant growth in the past decades. Recently, IoT networks have been subject to cybersecurity threats on multiple fronts. A lack of improvement in IoT infrastructures' cybersecurity may result in challenges with a broad impact, such as DDoS attacks that target global DNS services. This paper reviews existing solutions to mitigate attacks on and from IoT networks. As a specific mitigation approach, we propose the use of a standardized whitelisting method, namely Manufacturer Usage Description (MUD), which provides enhanced explainability over machine learning-based approaches and is complementary to them. For evaluating the use of MUD in IoT networks, we report a case study, which we conducted through traffic analysis of two IoT devices by detecting recognizable and distinctive traffic patterns, which demonstrate the feasibility of MUD-based intrusion prevention.

MUD-Based Behavioral Profiling Security Framework for Software-Defined IoT Networks

The rapid development and deployment of Internet of Things (IoT) devices in modern networks and Industry 4.0 have attracted substantial interest from cybersecurity researchers. In this study, we propose a software-defined framework that improves network intrusion detection systems by using manufacturer usage description (MUD) to enhance the behavioral monitoring in IoT networks. We aim to explore whether Industrial IoT (IIoT) devices typically serve a common role in cyber&#x2013;physical systems, and their communications exhibit predictable patterns that can be defined in MUD profile(s) formally and succinctly. We design a framework that utilizes the concept of digital twins and software-defined networking to improve the security of IIoT environments. The MUD data are profiled, and the actions are evaluated on the network digital twin before they are used in the physical network. The behavioral profiling system is updated in real time, thereby improving the overall system security and compliance to policies in the IoT deployment. Evaluation results show that our solution outperforms existing approaches substantially in terms of attack detection accuracy, predicting security incidents, response time, and resource usage.

Security provision for protecting intelligent sensors and zero touch devices by using blockchain method for the smart cities

Internet of Things (IoT) networks has gained popularity due to their amazing and cost-effective services and one of the main areas in smart cities. The stability of these networks is based on stable and secure data transmission without any vulnerabilities present used devices. Distributed Denial of Services (DDoS) attacks have brought critical interruptions in IoT services and significantly damage the network. In DDoS attacks, attackers utilize botnets, with the capability of frequently exploiting the millions of IoT devices around the globe. After the source code of Mirai malware is loaded on GitHub, the threats are significantly increased. Manufacturer Usage Description (MUD) is an embedded software standard for IoT device makers to advertise device specifications, including the intended communication patterns when it connects to the network. Even though the MUD mechanism is promising exertion, still there is a need for evaluating its viability, recognize its limits, and upgrade its architecture to reduce shortcomings in its architecture as well as to increase its effectiveness. This standard neither identifies the vulnerability path before the creation of the MUD profile. Thus, it is possible to exploit an IoT device even after the MUD profile is issued to the device by manipulating the vulnerabilities in the device. By keeping in mind this situation, this paper discusses the limitations of MUD in detail and proposed a framework to identify the patch and default vulnerabilities by using blockchain method before the generation/creation of MUD profiles. The proposed framework can also mitigate open ports, DDoS attacks, and Brute force attacks. The experiment results show the identification, elimination, and sharing of vulnerability report with vendors and significantly minimized the risk of IoT device exploitation.

Role of Device Identification and Manufacturer Usage Description in IoT Security: A Survey

This paper presents an overview of device identification techniques and the Manufacturer Usage Description (MUD) standard used for the Internet of things to reduce the IoT attack surface. The ongoing diversity and the sheer increase in the number of connected IoT devices have crumpled security efforts. There is a need to reconsider and redesign the underlying concept of developing security systems to resolve IoT security challenges. In this backdrop, device profiling and identification have emerged as an exciting technique that helps to reduce IoT device attack surface. One of the known approaches for device identification is to fingerprint a device. There are many ways to fingerprint the device, mostly using device network flows or device local attributes. The device identification ensures the authenticity of the device attached to the network, like user authentication. Since IoT devices mostly work using machine-to-machine (M2M) communication, this requires identifying each device properly. But there is no unified approach for device identification for the ever-growing world of IoT devices and applications. One of the major steps forward in this direction is the development of the Manufacturer Usage Description (MUD) standard that defines the role of a device within the network. It limits the device to execute the primary task only, which will help to reduce the attack surface. Since the inception of MUD, many security frameworks use this standard for IoT security. However, there is a need to scrutinize the security frameworks based on the MUD, to find out the claimed effectiveness of the standard in IoT security. This paper initially identifies and classifies the potential vulnerabilities in IoT devices. Then, the study provides an overview of the research that focuses on device identification techniques and analyzes their role in IoT security. Finally, the research presents an overview of MUD technology, its implementation scenarios, the limitation of the latest MUD standard, and its applications in the industry. The prime aim of this work is to examine the MUD benefits in IoT security along with the weaknesses and challenges while implementing this standard along with future directions.

Mitigation of Privacy Threats due to Encrypted Traffic Analysis through a Policy-Based Framework and MUD Profiles

It has been proven in research literature that the analysis of encrypted traffic with statistical analysis and machine learning can reveal the type of activities performed by a user accessing the network, thus leading to privacy risks. In particular, different types of traffic (e.g., skype, web access) can be identified by extracting time based features and using them in a classifier. Such privacy attacks are asymmetric because a limited amount of resources (e.g., machine learning algorithms) can extract information from encrypted traffic generated by cryptographic systems implemented with a significant amount of resources. To mitigate privacy risks, studies in research literature have proposed a number of techniques, but in most cases only a single technique is applied, which can lead to limited effectiveness. This paper proposes a mitigation approach for privacy risks related to the analysis of encrypted traffic which is based on the integration of three main components: (1) A machine learning component which proactively analyzes the encrypted traffic in the network to identify potential privacy threats and evaluate the effectiveness of various mitigation techniques (e.g., obfuscation), (2) a policy based component where policies are used to enforce privacy mitigation solutions in the network and (3) a network node profile component based on the Manufacturer Usage Description (MUD) standard to enable changes in the network nodes in the cases where the first two components are not effective in mitigating the privacy risks. This paper describes the different components and how they interact in a potential deployment scenario. The approach is evaluated on the public dataset ISCXVPN2016 and the results show that the privacy threat can be mitigated significantly by removing completely the identification of specific types of traffic or by decreasing the probability of their identification as in the case of VOIP by 50%, Chat by 40% and Browsing by 33%, thus reducing significantly the privacy risk.

Verifying and Monitoring IoTs Network Behavior Using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.

Security Architecture for Defining and Enforcing Security Profiles in DLT/SDN-Based IoT Systems.

Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data, make IoT devices an attractive target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection, and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices’ data, which are shared through a blockchain platform. The resulting approach was implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices’ communication before they join a certain network.

EMUD: Enhanced Manufacturer Usage Description for IoT Botnets Prevention on Home WiFi Routers

Distributed Denial of Service (DDoS) attacks have caused significant disruptions in the operations of Internet-based services. These DDoS attacks use large scale botnets, which often exploit millions of compromised Internet of Things (IoT) devices worldwide. IoT devices are traditionally less secure and are easy to be exploited. The extent of these exploitations has increased after the publication of the Mirai botnet source code on GitHub that provided a foundation for the attackers to develop and launch Mirai botnet variants. The Internet Engineering Task Force (IETF) proposed RFC 8520 Manufacturer Usage Description (MUD) so that an IoT device can convey to the network the level of network access it requires to accomplish its standard functionality. Though MUD is a promising effort, there is a need to evaluate its effectiveness, identify its limitations, and enhance its architecture to overcome its weakness and improve its efficiency. The latest Mirai variant malware is exploiting vulnerabilities of Internet of Things devices. As MUD does not consider identifying and patching vulnerabilities present in the device before the issuance of the MUD profile, a device can be compromised even in the presence of the Manufacturer Usage Description profile by exploiting either the configuration vulnerabilities or firmware vulnerabilities present in the device. This paper presents an evaluation study of the Manufacturer Usage Description (MUD), identifies its weaknesses, and proposed enhancements in its architecture. This research proposed a mechanism for identifying and eliminating the configuration vulnerabilities before creating the MUD profile for a device to minimize the attack surface. This research adopts the OWASP firmware testing methodology for discovering vulnerabilities in the firmware of WiFi home routers. The device is allowed to request the MUD profile only if the identified firmware vulnerabilities are low. The identified firmware vulnerabilities are patched in case the score of the identified firmware vulnerabilities is moderate or high. The device is allowed to request the MUD profile after the vulnerabilities are patched. The firmware vulnerabilities are shared with other peers using blockchain smart contracts. There is a possibility that the MUD URL might be pointing to a corrupted or malicious MUD profile hosted at the attacker file server due to the absence of an authentication mechanism in the MUD process. This research also proposed an authentication mechanism for device MUD profile, MUD file generator, and MUD file server. Implementation results show that proposed enhancements improve the security services provided by the Manufacturer Usage Description (MUD).

SDN based Intrusion Detection and Prevention Systems using Manufacturer Usage Description: A Survey

Internet of things (IoT) is an emerging paradigm that integrates several technologies. IoT network constitutes of many interconnected devices that include various sensors, actu-ators, services and other communicable objects. The increasing demand for IoT and its services have created several security vulnerabilities. Conventional security approaches like intrusion detection systems are not up to the expectation to fulfil the security challenges of IoT networks, due to the conventional technologies used in them. This article presents a survey of intrusion detection and prevention system (IDPS), using state of art technologies, in the context of IoT security. IDPS constitutes of two parts: intrusion detection system and intrusion prevention system. An intrusion detection system (IDS) is used to detect and analyze both inbound and outbound network traffic for malicious activities. An intrusion prevention system (IPS) can be aligned with IDS by proactively inspecting a system’s incoming traffic to mitigate harmful requests. The alignment of IDS and IPS is known as intrusion detection and prevention systems (IDPS). The amalgamation of new technologies, like software-defined network (SDN), machine learning (ML), and manufacturer usage description (MUD), in IDPS is putting the security on the next level. In this study IDPS and its performance benefits are analyzed in the context of IoT security. This survey describes all these prominent technologies in detail and their integrated applications to complement IDPS in the IoT network. Future research directions and challenges of IoT security have been elaborated in the end.

Enforcing Behavioral Profiles through Software-Defined Networks in the Industrial Internet of Things

The fourth industrial revolution is being mainly driven by the integration of Internet of Things (IoT) technologies to support the development lifecycle of systems and products. Despite the well-known advantages for the industry, an increasingly pervasive industrial ecosystem could make such devices an attractive target for potential attackers. Recently, the Manufacturer Usage Description (MUD) standard enables manufacturers to specify the intended use of their devices, thereby restricting the attack surface of a certain system. In this direction, we propose a mechanism to manage securely the obtaining and enforcement of MUD policies through the use of a Software-Defined Network (SDN) architecture. We analyze the applicability and advantages of the use of MUD in industrial environments based on our proposed solution, and provide an exhaustive performance evaluation of the required processes.

Extending MUD Profiles Through an Automated IoT Security Testing Methodology

Defining the intended behaviour of IoT devices is considered as a key aspect to detect and mitigate potential security attacks. In this direction, the Manufacturer Usage Description (MUD) has been recently standardised to reduce the attack surface of a certain device through the definition of access control policies. However, the semantic model is only intended to provide network level restrictions for the communication of such device. In order to increase the expressiveness of this approach, we propose the use of an automated IoT security testing methodology, so that testing results are used to generate augmented MUD profiles, in which additional security aspects are considered. For the enforcement of these profiles, we propose the use of different access control technologies addressing application layer security concerns. Furthermore, the methodology is based on the use of Model-Based Testing (MBT) techniques to automate the generation, design and implementation of security tests. Then, we describe the application of the resulting approach to the Elliptic Curve Diffie-Hellman over COSE (EDHOC) protocol, which represents a standardisation effort to build a lightweight authenticated key exchange protocol for IoT constrained scenarios.