Anomaly Detection with
Machine Learning in IoT Cellular Networks
Master Thesis
Imran Qayyum Khan
Thesis submitted for the degree of Master in Informatics: Network and System
Administration 60 credits
Department of Informatics
Faculty of mathematics and natural sciences
UNIVERSITY OF OSLO
Anomaly Detection with Machine Learning in IoT
Cellular Networks
Master Thesis
Imran Qayyum Khan
Supervisor:
Prof. Dr. Thanh van Do
Telenor Group, Telenor Research Oslo Metropolitan University, Oslo, Norway
Co-Supervisor:
Prof. Boning Feng
Oslo Metropolitan University, Oslo, Norway
© 2020 Imran Qayyum Khan
Anomaly Detection with Machine Learning in IoT Cellular Networks http://www.duo.uio.no/
Printed: Reprosentralen, University of Oslo
Abstract
The number of Internet of Things (IoT) devices are increasing day by day.
This growing of IoT devices involve a big challenge in the field of security, especially for network and telecom operators, IoT service providers and also for the users. The implementation of security on IoT devices brings very big challenges for us. Attackers launch many attacks towards IoT devices like Distributed Denial of Services. To detect and prevent these types of attack in IoT devices that use the mobile network, it’s needed to have a proper overview of the existing threats and vulnerabilities.
The main prospective of this thesis is to present and compare different machine learning algorithms. Supervised machine learning classification methods are used in this study, where five machine learning algorithms are tested and evaluated by their performance. Both datasets are analyzed by using these algorithms namely, k-NN, SVM,na¨ıve Bayes, decision tree and logistic regression. Four algorithm k-NN, SVM, decision tree,and logistic regression behave similarly but na¨ıve Bayes shows some inconsistencies in this study experiment. But we see the accuracy and precision of the models are average above 90%.
Acknowledgements
First of all, I would like to thanks to Almighty God who help me to make this thesis work. Secondly, I would like to thanks to my Supervisor Prof.
Dr. Thanh van Do for his support and guidelines provided throughout my master thesis. I would also thanks to my Co-Supervisor Prof. Boning Fengwho give me the opportunity to write about such an interesting topic.
With the help of both of you, I overcome the challenges faced throughout my thesis.
I am grateful to Prof. H ˚arek Hagerudas my teacher, Kyrre Begnum as a knowledgeable professor and great person to give motivation, advice and knowledge specially in the field of cloud computing and automation. I would also like to thanks to Prof. Anis Yazidias a teacher, who guide us how to write thesis.
Thanks to University of Oslo and Oslo Metropolitan University (OsloMet) for granting me admission and Norwegian Government to provide me op- portunity to fulfill my dream of doing my Master in Network and System Administration.
I would like to thanks everyone involved in this master program. My spe- cial thanks and appreciation goes to Bernardo Santos who always had time for me and my questions. With his advice, proof-reading, and comments I was able to improve my thesis document.
I would like to thanks all to my friends and colleagues, especially Tariq Mahmood as a study partner and Syed Zyyad Ali Shah who gave tremen- dous suggestions and advises through out this degree. All credit of this degree goes to my best friend Hammad Raza, without his motivational speeches I never come to Norway and start this program.
Finally, I would like to thanks to my beloved parents, brothers, sisters, my wife and my lovely daughters. Without their encouragement and sup- port none of this happened.
Author
Imran Qayyum Khan
Contents
1 Introduction 1
1.1 Background . . . 1
1.2 Motivation . . . 4
1.3 IoT in Industry . . . 5
1.3.1 Healthcare . . . 5
1.4 Problem Statement . . . 6
1.5 Research Methodology . . . 7
1.6 Thesis Structure . . . 7
2 Background and Related Work 8 2.1 Cellular Networks . . . 8
2.1.1 Cellular Networks Architecture Concepts . . . 8
2.1.2 Evolution of Mobile Technologies . . . 9
2.2 Vulnerability, Security Threats and Attacks . . . 11
2.2.1 Vulnerability . . . 11
2.2.2 Threat . . . 11
2.2.3 Attack . . . 12
2.3 Security Challenges . . . 12
2.3.1 UMTS (Universal Mobile Telecommunication System) 12 2.3.2 LTE (Long Term Evolution) . . . 12
2.3.3 5G . . . 14
2.4 IoT . . . 15
2.4.1 NB-IoT . . . 16
2.4.2 Protocol Vulnerabilities in IoT . . . 18
2.5 What is DDoS . . . 23
2.5.1 DDoS attacks, an overview . . . 24
2.5.2 DDoS Direct and Indirect attacks . . . 26
2.5.3 How attackers launch a DDoS attack . . . 27
2.5.4 DDoS attack types . . . 28
2.5.5 UDP attack . . . 28
2.5.6 Detection of DDoS Traffic . . . 29
2.6 Machine Learning . . . 29
2.6.1 Supervised Learning . . . 30
2.6.2 Unsupervised Learning . . . 34
2.6.3 Deep Learning . . . 35
2.6.4 Reinforcement Learning . . . 35
2.7 Related Work . . . 35
3 Approach 38 3.1 Objectives . . . 38
3.2 Design Phase . . . 38
3.3 Implementation and Experiment phase . . . 41
3.3.1 Data Collection . . . 41
3.3.2 Used Tools and Software . . . 42
3.3.3 Collection of Normal and DDoS attack traffic . . . 43
3.3.4 Feature Extraction . . . 46
3.4 Methodology . . . 47
3.4.1 Cleaning and Transformation . . . 47
3.4.2 Splitting of Dataset . . . 49 3.4.3 Modeling . . . 49 3.4.4 Evaluation . . . 55
4 Results 57
4.1 First Threshold - (Length below 100 bytes) . . . 58 4.1.1 Normal Scenario . . . 58 4.1.2 DDoS Scenario . . . 63 4.2 Second Threshold - (Length between 50 and 70 bytes & be-
tween 160 and 180 bytes) . . . 68 4.2.1 Normal Scenario . . . 68 4.2.2 DDoS Scenario . . . 73
5 Evaluation / Discussion 78
6 Conclusion and Future Work 82
6.1 Conclusion . . . 82 6.2 Future Work . . . 82
A Modeling Source Code 84
B Dataset Samples 87
List of Tables
1 Specification of dataset CICDDoS2019 [124]
2 Labeling of binary classification 3 scikit-learn Python Library [130]
4 Classifier statistics (Normal) 5 Performance Metrics
6 Classifier statistics (DDoS)
7 Performance Metrics (DDoS Dataset) 8 Classifier statistics (Normal)
9 Performance Metrics (Normal Dataset) 10 Classifier statistics (DDoS)
11 Performance Metrics (DDoS Dataset)
List of Figures
1 Internet of Things [4]
2 IoT environment
3 Cellular IoT connections by segment and technology (billion) [5]
4 Massive vs. Critical IoT [12]
5 The three-tier Architecture of the H-IoT systems [22]
6 Mobile subscriptions by technology [5]
7 Different Generations in Telecom [30]
8 ITU X.805 Framework [37]
9 Security threats in 5G [31]
10 NB-IoT deployment [44]
11 Partial Deployment of NB-IoT [44]
12 IoT Protocol Stack 13 MQTT in IoT [50]
14 Some Applications in ZigBee [59]
15 DDoS Attack [65]
16 Attack Life Cycle [18]
17 Direct and Indirect Attacks [74]
18 Complex Reflection Attack [74]
19 DDoS Attack Types [75]
20 Machine Learning [86]
21 An example of KNN classification [89]
22 Structure of Decision Tree [90]
23 an example of separable problem in 2 dimensional space [92]
24 an example - Na¨ıve Bayes model [95]
25 an example - Regression in Gaussian distribution [98]
26 Research Methodology
27 End to End Communication in Network 28 Proposed Method for DDoS Detection 29 Test Lab Devices
30 Test Lab Network
31 Testbed Architecture [124]
32 Wireshark capturing [123]
33 Parametric/non-parametric models 34 k-NN classifier - an example [133]
35 Pseudo-code for k-NN Algorithm [133]
36 SVM - an example [133]
37 Pseudo-code for SVM Algorithm [133]
38 Pseudo-code for Na¨ıve Bayes Algorithm [133]
39 Pseudo-code for Decision Tree Algorithm [133]
40 Pseudo-code for Logistic Regression Algorithm [133]
41 K-Nearest Neighbors 42 Error Rate vs K 43 Other Classifiers 44 K-Nearest Neighbors 45 Error Rate vs K 46 Other Classifiers 47 K-Nearest Neighbors
48 Error Rate vs K 49 Other Classifiers 50 K-Nearest Neighbors 51 Error Rate vs K 52 Other Classifiers
53 Overview of Performance Metrics (Normal - 1st Threshold) 54 Overview of Performance Metrics (DDoS - 1st Threshold) 55 Overview of Performance Metrics (Normal - 2nd Threshold) 56 Overview of Performance Metrics (DDoS - 2nd Threshold) 57 First Dataset Sample (Before Transform)
58 First Dataset Sample (After Transform) 59 Second Dataset (Before Transform) 60 Second Dataset (After Transform)
Listings
1 Transformation . . . 48
2 Labeling . . . 48
3 Splitting of data . . . 49
4 Classifiers used in this work . . . 54
5 Evaluation model . . . 55
6 find K value - Normal (First Threshold) . . . 60
7 find K value - DDoS (First Threshold) . . . 65
8 find K value - Normal (Second Threshold) . . . 70
9 find K value - DDoS (Second Threshold) . . . 75
10 Source code . . . 84
Acronyms
6LoWPAN IPv6 over Low-Power Wireless Personal Area Network. 22 AMQP Advanced Message Queueing Protocol. 20
BSN Body Sensor Network. 5 C-IoT Cellular IoT. 2
CALLER ID Caller identification. 5
CoAP Constrained Application Protocol. 5, 18 COVID-19 Coronavirus Disease 2019. 4
CRISP-DM Cross-industry standard process for data mining. 47 DDoS Distributed Denial of Service. 4, 5
DNS Domain Name Server. 5
DoNAS Data over Non-Access stratum. 8 DoS Denial of Service. 3, 4
eNodeB evolved Node B. 8 EPC Evolved Packet Core. 2 GPS Global Positioning System. 5
GSM Global System for Mobile Communication. 2 HSS Home Subscriber Server. 2
ICMP Internet Control Message Protocol. 26 ICRC International Committee of Red Cross. 4 IMSI International Mobile Subscriber Indentity. 9 IoT Internet of Things. 1
k-fold k-Fold Cross-Validation. 49 LTE Long Term Evolution. 2 M2M Machine to Machine. 3
MME Mobility Management Node. 2
MQTT Message Queue Telemetry Protocol. 19
NAS Non-Access stratum. 8
NB-IoT Narrow Band Internet of Thing. 2 PDN Packet Data Network. 9
PGW Packet Gateway. 2 QCI QoS Class Identifier. 9 RAN Radio Access Network. 14
RFID Radio Frequency Identification. 5 SGW Serving Gateway. 2
TCP Transmission Control Protocol. 5 UDP User Datagram Protocol. 5 UE User Equipment. 8
UMTS Universal Mobile Telecommunications System. 2 XMPP Extensible Messaging and Presence Protocol. 20
1 Introduction
In this chapter, we create a context of this thesis, explaining the motivation, aim, research questions, delimitation and contribution of this thesis’s work.
In addition, the last section defines the whole content of this thesis.
1.1 Background
Internet of Things (IoT) is described as a “network to connect anything with the Internet based on stipulated protocols through information sensing equipments to conduct information exchange and communications in order to achieve smart recognitions, positioning, tracing, monitoring, and admin- istration[1].”
By providing IoT based applications and services such as smart health- care, control energy, process monitoring, environmental observation and fleet management [2] [3], IoT is providing new capabilities and opportuni- ties for end-users. As per 2020 forecasts by Cisco Systems [4], 50 billion internet of things including cardiac monitors, thermostats, smart phones, surveillance cameras, kitchen applications, cars, television everything are connected via internet. Figure 1 illustrated the IoT connectivity of devices like refrigerators, washing machines, pets, healthcare, energy grids, trans- port system everything are connected with internet [4].
Figure 1: Internet of Things [4]
The IoT environment, which consists of three groups, such as the manu- facturer of gadgets, the IoT application running on application servers and
the Evolved Packet Core (EPC), shown in figure 2, has a role for telecom- munications operators. In this context, each of these parties should ensure the protection, security and availability of services to the consumer [5] [6].
Figure 2: IoT environment
Inside the individual area network, IoT devices transmit packets via Z- wave and Zigbee, while packets of the network are transmitted through GSM, UMTS, LTE in wide area network. The four nodes, Mobile Manage- ment Entity MME, Home Subscriber Server HSS, Serving Gateway SGW and Packet Data Network Gateway PGW, are transmitted from eNodeB packets to the EPC.
Ericsson forecast report (C-IoT connections by segment and technology) states that “The Massive IoT technologies NB-IoT and Cat-M1 continue to be rolled out around the world, but at a slightly slower pace in 2020 than previously forecasted due to the impact of COVID-19. 2G and 3G connectivity still enables the majority of IoT applications, but during 2019, the number of Massive IoT connections increased by a factor of 3, reaching close to 100 million connections at the end of the year.” [7].
In figure 3 Ericsson has predicted that some 29 billion IoT gadgets will be usable by 2025 [5]. From out of 18 billion devices are IoT devices, such as motion and door sensors, smart devices [5] and 11 billion of these overall devices are belongs to smartphones.
In the current advanced stage, IoT is leading the charge and offering pow- erful services such as new market opportunities, growth in trade revenues, decision-making, reduction in cost, security and safety, enhanced citizen
Figure 3: Cellular IoT connections by segment and technology (billion) [5]
participation and a system of measures [2]. In any case, 70% of IoT devices contain vulnerabilities in area such as encryption and security of password among others that give open access to attackers for extreme attacks such as Denial of Service (DoS) [8].
Attackers are trying new techniques to destroy security, steal your in- tellectual property and disrupt sensitive information. Regular security threats are becoming more and more dangerous to defeat and more com- plex. In this way, we need to be aware of what kind of security monitoring is needed [9]. The way to defend IoT against attackers is to learn how to predict attacks [2] [3].
During the time of machine-to-machine M2M, machine-to-person and people-to-person interface, IoT is categorized in two forms, based on its specifications and characteristics, which are massive IoT and critical IoT [10] [11], as shown in figure 4.
Massive IoT uses a large range of sensor and actuator gadgets that are relatively inexpensive and devouring to maintain longer battery life. A few examples of massive IoT are used by smart cities, agriculture, transport, and logistics. Critical IoT applications include autonomous vehicles, re- mote surgery, remote manufacturing etc. requiring high usability, ultra- reliability and low latency [5].
Any security issues arising from the delay or inaccessibility of the benefit to any of these groups will have a possible impact on business and society [13]. Due to the need for sufficient computational control, capacity and battery life to conduct authentication, encryption and safety calculations [8] [6], enormous quantities of resource-restricted IoT devices are connected
Figure 4: Massive vs. Critical IoT [12]
to an arrangement that generates a vast amount of information that pose security challenges to the entire IoT network. In this way IoT devices are very vulnerable to attacks such as Denial of Services (DoS) and Distributed Denial of Service (DDoS) [14] [13].
Attackers are attempting new methods to develop or create security thre- ats that cause theft from intellectual property to confidential data. In these days security attacks are growing more precarious and more sophisticated.
So, we should recognize what kind of security controls are mandatory [9].
Discovering how to predict the attacks is only way to protect IoT against attacker [3].
Due to COVID-19 pandemic, cyber criminals gave us massive challenges specially in health field. Due to this health crisis, they took advantage to develop their attacks on healthcare, hospitals, medical research centers and on international health public organizations. Due to these threat issues, the International Committee of Red Cross (ICRC) and other members have published a letter to various governments to do more on security and safety on these medical organizations from cyber-attacks. [15].
Any security concerns will lead to interruption or inaccessibility of the services in any of these categories affecting business and communities alike [13].
1.2 Motivation
IoT coordinates millions of web-based devices to make our everyday lives easier, however it faces security challenges that need considerationas IoT objects are ineffectively controlled, maintained and protected [16].
The IoT DDoS attacks were a main dominant attack in 2017, in line with the Arbor Security report [17], and 65 percent of the attacks carried out in 2016 were a significant DDoS attack. The Mirai DDoS attack [18] was triggered by the contamination of defective IoT devices, being the biggest attack ever. Consequently, DDoS attacks should be detected and mitigated.
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and DNS flooding are the most common attacks on DDoS. Protection measure- ments are challenging to enforce due to memory limitations, power, memory and the heterogeneous nature of IoT devices.
1.3 IoT in Industry
This example illustrates how IoT and its vulnerabilities will affect our lives. Due to urbanization and population, the need for a green environ- ment is currently expanding. “Green rooftops” are a way to preserve a green, high-quality environment. Water quality can be improved, carbon dioxide reduced, urban warm islands, reduced noise, emery, air pollution etc. [19]. However, it is difficult for a human to cut grass that grows on the rooftops while grass cutting robots can do it effectively. It would be costly and impractical for each owner of a green roof to acquire a robot.
In the case of a company cutting grass by owning a few robots and con- tracting green roof owners to cut grass on a plan based on their develop- ment, be that as it may be. IoT can mechanize this errand with a drone that allows geofencing engineering to carry robots to the rooftops, a benefit that uses GPS, CALLER ID and RFID. Geofencing is also used by robots to prevent dropping and walking outside the roof barrier. In this case, there- fore, IoT brings biological and financial benefits by enabling devices to com- municate. In reality, if an intruder activates DoS or misinforms drones or robots, the consequences can be quite harmful.
IoT security is therefore very imperative, and IoT attack results can be more dangerous than web attacks. As EY states, “Our Cyber Risk Manage- ment services help organizations tackle the many security challenges they face on a daily basis — supporting risk-based decisions and improved cy- bersecurity, reducing costs related to managing security risk, and improving their overall cybersecurity posture” [20].
1.3.1 Healthcare
Healthcare is one of the most important areas in which IoT has pro- vided comfort to both physicians and patients with important aspects such as real-time observation, health care and patient data management, etc.
The Body Sensor Network (BSN) innovation is another breakthrough that makes it possible for a physician to collect data from patients to additionally screen them via extremely compulsive devices that use lightweight protocol for transmission of data such as CoAP [21].
As shown in figure 5, these devices collect and transmit sensitive infor- mation to another core, such as a gateway. The protection and security of these sensors’ devices is extremely important because they hold the pa- tient’s critical data. Any unauthorized entry, leakage and capture of these devices can cause serious harm to patients.
Figure 5: The three-tier Architecture of the H-IoT systems [22]
The information segment can be changed due to attack. Due to changes in fragment and manipulation in packet, the data is altered, that can be dangerous and life critical [23] [21]. If an intruder inflicts DoS on devices that change the value of the patient’s high heart-beat, the device will not be triggered, and this will cause real problems and in some cases death.
1.4 Problem Statement
This thesis aims to analyze different machine learning techniques that can help in detecting or even predicting an exploit targeting IoT devices connected to cellular network. The hypothesis of this thesis is as follows:
If we are able to obtain information from the control and data plane in a cellular network, coming from IoT devices, we can use machine learning and anomaly detection algorithms on these data to see if it allows us to detect or even predict an upcoming attack.
1.5 Research Methodology
The aim of this thesis is to detect anomalies in IoT devices that are con- nected to a cellular network. There are three key stages: information col- lection (normal and DDoS traffic), feature extraction and selection, and ma- chine learning classification. To this end, the packets were generated by IoT devices. Normal and DDoS events were collected separately during the information collection processes. Information was pre-processed and classi- fied, in the final stage with Scikit-learn tool [24]. Using (k-NN, SVM,na¨ıve Bayes, decision tree and logistic regression) the most known classifiers, a performance evaluation was made considering the task at hand.
1.6 Thesis Structure
The thesis is organized as follows.
Chapter 1Introduction: Short overview of the security problems in IoT, machine learning and DoS attacks, and what is the purpose of this thesis.
Chapter 2 Background and Related Work: What kind of technologies and concepts are involved in the thesis, and also some related work.
Chapter 3Approach: Planned steps that are important to address given the problem statement, along with descriptions of the experiment design, methodology and results evaluation approach.
Chapter 4Results: Presents the outcome of what was done and explains how the project was implemented and how the experiment was conducted.
Chapter 5Discussion / Evaluation: Given the provide outcome, outlines are provided as to what to do when facing the problem selected in this the- sis. Acknowledgment of shortcomings.
Chapter 6 Conclusion: Show summary of the thesis highlighting the obtained results and provide guidelines for continuation of the research topic.
2 Background and Related Work
This chapter presents the evolution of mobile technologies, Internet of Things and an overview on the available security mechanisms for this sec- tor. The section starts by describing the mobile technologies, difference be- tween attack, threat, and vulnerability, and continues with what is a DDoS attack and how it can be inflicted. It showcases how other researchers have used machine learning to detect DDoS attacks and what techniques they used so for. In addition, this chapter describes the life cycle of the attack and clarifies with a single summary how the attack can be detected within the network traffic.
2.1 Cellular Networks
A communication network where the last link is wireless is called a cellu- lar network or mobile network. The transmission of this network is spread out over land by what is called “cells”, which normally served three cell sites or transceiver base stations. With these base stations, the cell provides net- work coverage that is used for transmission of data, voice, and other types of content [25].
2.1.1 Cellular Networks Architecture Concepts
We can first understand the mobile network architecture, where how the packets transfer from end to end communication between user equipment and IoT servers. The core network architecture is described below:
1. User Equipment:Devices such as smartphones and IoT devices that interacts with network and core service. When communicating with a network, each user’s device holds a unique identification for connect- ing.
2. eNodeB:evolved NodeB is abbreviated as eNodeB or eNB and is part of the LTE network. User equipment is connected to EPC through the air interface with the help of eNodeB. The established link between eNodeB and UE is called the radio interface. eNodeB is responsible for client data stream encryption, radio resource management, and IP header compression in accordance with 3GPP discharge 8, client plane routing to SGW, paging message and broadcast information prepara- tion and transmission, MME determination at UE link while UE data does not provide routing [26].
3. MME:Mobility Management Entity (MME) deals with control plan and manages eNodeB security and portability based signaling. In ad- dition, MME negotiates with the user plane in the DoNAS (Data over Non-Access Stratum) as it may be. In addition, MME is also reliable when paging user equipment is idle mode and tracking area range list, roaming, NAS signaling and NAS signaling security [27] [28].
4. HSS:Home Subscriber Server (HSS) can be a standardized function capable of removing the individual authorization and benefit profiles
of all subscribers. HSS acts as a database containing both the open and private identities of the subscriber, credentials, the IMSI and the data used to show the type of assistance that each user that using the subscription of mobile services. HSS is used when the device asks for radio resources to check the device specific IMSI status. Other features of the HSS include support area function, mobile roaming, domestic area registries, preference setting of subscriber, setting and mobile authentication server [29].
5. SGW:For eNodeB, Serving Gateway (SGW) is the local mobility han- dover point. SGW is responsible of the packet forwarding, inspection, routing, PDN, UE and QCI uplink and downlink charging [27].
6. PGW:Packet Data Network (PGW), the door interfaces of the EPC to outside IP network. PGW features include (Deep Packet Inspection), IP assignment to UE, legal inspection, user package sifting, uplink and downlink benefit level charging and policy control [27].
2.1.2 Evolution of Mobile Technologies
Currently there are 16 billion cellular customers from 2G to 4G and it is gradually increasing [18] to the 5G generation, with approximately 28 Billion including IoT devices. Figure 6 can clearly show us an increase in customers by organizing changes such as 2G to 3G and 4G. Now the boom of subscriptions (for user and devices) has arrived. We need now faster data and a low latency network to accommodate such increase [18].
Figure 6: Mobile subscriptions by technology [5]
1. 2G - GSM/CDMA:-GSM stands for Global System for Mobile Com- munication. A technology that uses for transmission of data and voice services. The concept of GSM emerged in Bell Laboratories in 1070s.
GSM is most widely implemented and standardized technology around the world. GSM is circuit switching system that divide into 200 kHz channels into eight 25 kHz. In most part of the world GSM mobile
Figure 7: Different Generations in Telecom [30]
communication uses the bands 900 MHz and 1800 MHz. In US, GSM operates on 850 MHz and 1900 MHz. [31]
After almost 10 years, in 1991, 2G was launched by more features and services such as coverage improvement and, of course, voice qual- ity was much higher than 1G. The speed was increased to 64 kbps in 2G and 1st digital solution used, like GSM (Global System of Mobile), CDMA (Code Division of Multiple Access), TDMA (Time Division Mul- tiplexing Accessing). 2G were used for voice and packet switching.
Due to some low-cost base station and mobile set, the GSM tech- nology is popular around the world. On the basis of GSM architec- ture, technologies grows advanced in next generation (3G) systems and LTE. The Base Station Subsystem consists of the Base Station Transceiver (BTS) unit which is connected to the mobile station (MS) and Base Station Controller (BSC) through the connected air inter- face. BSC manages the process from a BTSs to the exchange cen- ter. Portability over BTSs is also monitored. Network Switching Sub-system is another sub-component. It contains the Mobile Switch- ing Center (MSC) and databases of subscriber. MSC performs the switching part and carry out the call from connected to the calling party. MSC is associated with the Public Switching Telephone Net- work (PSTN). Home Location Register (HLR) and Visitor Location Register (VLR) are used to test the proposed character of the MSC subscriber. [31]
2. Third Generation (3G) - UMTS:-The new era of technology is launc- hed in 2003 when 3G is launched. This 3G launched the boom in the field of mobile devices and smartphones powered by 3G services. 3G was based on digital voice and also included digital IP and web mail and SMS information. The technology used in 3G was W-CDMA and UMTS. The speed has been expanded to 2,000 kbps in 3G and the first portable broadband has also been introduced [32].
3. Forth Generation (4G) - LTE:-Get the benefit of trying to get a higher web speed on mobile devices 4G/LTE is introduced. Networks and apps eventually require a higher web speed, so 4G was launched in 2011 because of this massive need for faster internet access, it is still used in conjunction with 2G and 3G. It was clearly explained for data that is based on an IP-based protocol (LTE) for interactive media, the key of 4G designing. The switching technique used in 4G was packet switching. The speed has increased to 100,000 kbps [32].
4. Fifth Generation (5G):-Due to higher usage of devices in current year the new concept of high-speed internet is introduced. Due to high speed internet next generation of transport network is required.
5G is the answer to these questions, 5G will be very useful in the year 2020. The 5G breakthrough can be a digital voice and data capacity and special features for IoT (Internet of Things) and AR (Augmented Reality), VR (Virtual Reality). Anything from smart cars to city grids, etc., and items communicate with each other for IoT smart by using different protocols such as the CISCO CCN and the MQTT protocols.
Packet switching technology is used in 5G network. The latency in 5G network is only 1ms [32].
2.2 Vulnerability, Security Threats and Attacks
Before moving forward towards IoT security, we should be able to under- stand and know about the difference between vulnerability, security and attack.
2.2.1 Vulnerability
Vulnerability is a weakness point in information system, where an at- tacker gets internal control and launch an attack or authorized activity.
A vulnerability may be in three steps: Flaw in a system, an attacker get access to the flaw and can exploit them. The attacker must be connected with the system by any kind of tool and exploit the vulnerability. In any case, vulnerability must not be harmed in the form of risk, because the risk that could theoretically impact the system can be exploiting by misuse of vulnerability [33].
We see a lot of flaws in IoT devices. Consumer-available products expe- rience flaws that are extremely easy to spot, but due to lack of memory, processor and power in IoT devices it is difficult to fix. In addition, there are software errors in IoT coming from computer management, operating systems and communication protocols.
2.2.2 Threat
A threat is an advantage to the intruder, that is achieved by using the system’s vulnerability and it includes a negative effect on the actions of the system. In addition, threat can be triggered by humans and also by naturally causes such as a seismic tremor, floods and some other natural disaster that hurts the computer structure and IoT systems.
There are also Man-made threats created by experienced individuals to find vulnerabilities and produce system damaging codes and scripts or to participate in any criminal activity, e.g. trade or government data. These kinds of threats are called structured threat, while unstructured threats can be caused by unpracticed humans, who present a malicious device in their equipment and do not have enough data on the threat that their adap- tation can cause. As well as structured and unstructured threats [34] [35], are both uses in IoT devices. Threat must be defined through the collective participation of application originators, security specialist, analyzers, de- signers, and system administrator. Attack tree and attack pattern can be used to identify threats.
2.2.3 Attack
Attacks are the dangerous and alarming effects of a certain behavior of a device that is induced by vulnerabilities through a variety of gadgets and methods. Attacks have distinctive processes, for instance, one type of at- tack in which the attacker finds the sensitive information of unencrypted network traffic is called an active attack. Another type of attack is a passive attack that monitors weakly encrypted traffic to find authentication infor- mation. The most typical attacks are accessed attack, physical attacks, distributed denial of service attack, privacy attack link steal password and cyber security attack [34].
2.3 Security Challenges
In this section we will discuss security issues in UMTS, LTE and 5G tech- nologies. We also discuss security challenges and vulnerabilities in IoT.
2.3.1 UMTS (Universal Mobile Telecommunication Sys- tem)
UMTS is called universal mobile telecommunication system, also known as 3G-mobile systems. Regardless of the unique security architecture of UMTS (3G) that led to the development of unused administrations and a key component of network formation, the existence and area of portable users is one of the 3G concerns. Every user of cellular network is uniquely identified by IMSI. Another thing is the firewalls that already had a secu- rity problem. UMTS firewalls secure simple text information from external attacks. In any case, attacks can emerge from another adaptable supporter of the arrangements, from someone who can prepare for the UMTS core network. Current VPN provide a specified adaptability for setting up safe mobile user associations. Data privacy is a concern for UTMS, as the infor- mation transmitted inside the gateway is not encrypted in WAP architec- ture [36].
2.3.2 LTE (Long Term Evolution)
The enhanced protection and efficient networking of the mobile telecom- munication system known as 4G is accepted for the next generation. Since
it uses TCP / IP architecture, the 4G organization is totally IP oriented. All the components make the Evolved Packet Core (EPC) which is also known as EPS (Evolved Packet System). 4G Engineering consists of two parts, EPS and eNodeB. Authors [37] [38] classified LTE threats in the following categories:
• Identity and Privacy of User:Prohibited access and usage of user, the hardware identity of users to access network or change the char- acter of users to commit malicious actions.
• Tracking of User Equipment:IP that tracking can be related to an IMSI dependent on UE / UEIM.
• DoS Threat: Credibility of pushing DoS attacks against other cus- tomer devices.
• Unauthorized Access to The Network:Unauthorized access to the EPC section can lead to a number of attacks and security exploitation.
• eNodeB Physical Access and credentials:Unauthorized access to eNodeB will result in an attack being driven to any EPC node. Cre- dential faked or cloned passwords, false configuration, and inacces- sible, algorithmic assault-related information may cause significant security issues.
• Protocol Attack:Exploit any convention’s security vulnerabilities in the interface of any node can easily cause DDoS attack and any other security issues.
• Jamming: It is an attack in which a jammer transmits in order to disrupt a gain or cause a denial of service via the RF vector. Uplinks and downlinks may be used to stick to the LTE. Sticking focuses on the base station within the uplink, while the target is the client gear in downlink jamming where the flag is moved from the base station to the user hardware.
Another form of jamming attack in LTE is protocol-aware, that is enabled by protocol openness. In addition, messages sent by the base station are not encrypted, which can lead to hacking and sniffing attacks [38]. The X.805 system security architecture illustrated in Figure 12 is also recommended for 4G remote arrangement, that described by authors Anastasios et al [37].
The X.805 security arrangement consists of three layers: service and infras- tructure layer, application, and eight security planes that are availability, data confidentiality, communication security, privacy, authentication, data integrity, control, access and non-repudiation.
The definition of Yongsuk et al [39] tends to suggest that due to the het- erogeneous and IP-based arrangement of 4G, there are conceivable effects of modern threats that could lead to unintended interference with data and service disclosure. In addition, the imaginable threats in 4G include con- sumer ID and service theft, DoS, IP spoofing and a massive range of related heterogeneous devices, which are possible safety holes for the framework.
Figure 8: ITU X.805 Framework [37]
These 4G interface devices can overpower any 4G portable node in a variety of ways, such as DDoS. There is no effortless completion of security issues, and security research and development would be available on an ongoing basis because security threats are always open.
2.3.3 5G
Compared to previous standardized, the different characteristics of 5G application and services, such as eMBB, URLLC and mMTC, are vulnera- ble to attack and have a variety of uses for targeting 5G services. There are many possible ways in 5G that transfer from client hardware, such as mobile phones, robots, IoTs, computerized mechanical devices, indepen- dent vehicles, etc. The 5G security threat is shown in figure 9, which com- bines Radio Access Network (RAN), core and internet. Man-in-the-Middle (MiTM) attacks on Cloud RAN (C-RAN) domains, IP core network that are vulnerable to DDoS and client devices that are exploit by malware and bots [31].
The security challenges associated with them core network are critical for mobile network to recognize, as the full structure of 5G portable sys- tems depends on the network. The entire system will fail if the advances of everyone are vulnerable to the attacker. 4G and previous mobile networks have not been outlined in order to fix security concerns related to NFV and SDN. Security requirements are required for both signaling and informa- tion activity at different attack focal points (as shown in figure 9) from user equipment (UE) to RAN and core network [31].
Figure 9: Security threats in 5G [31]
2.4 IoT
As described in [40], IoT has a lot of security threats and challenges.
According to the researchers, we need to understand new features of IoT for understanding security threats in IoT device. Below we define some security threats of IoT that cause attack in IoT devices.
1. Ubiquitous: If we are talking about the IoTs, it is involved in our daily life and use all our resources. Individuals who do not have an idea of the security of devices are still use them, and manufacturers do not pay much attention to the security of these devices. Producers do not provide any safety advice or information that the device collects all your sensitive data. The unsafe default configuration of these devices is one of the latest attacks’ triggers. With the all aspects of these devices abnormal behaviors of these devices are viewed and controlled by the network operators.
2. Diversity:IoT has a number of devices that are involved in use cases and applications. IoT tracks different cloud networks through distinc- tive security elements and conventions. Differences in device capa- bilities and requirements make it difficult to create a global defense network. In order to dispatch DDoS attacks, attackers benefit from these distinct qualities. The Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can provide help in preventing intrusion attacks.
3. Privacy: The parallel relationship exists between IoT devices and users. A few sensors jointly gather important natural information to track our climate. It is an easy task for a hacker to get sensitive
information and identities. For example, a smart home activity ar- rangement by a home network traffic [41].
4. Unattended: Some IoT devices are special purpose devices, such as Implantable Medical Devices (IMDs). These types of devices have been operating in an unprecedented physical world for a long time without human mediation. It’s extremely difficult to both apply se- curity computing and see if these devices are remotely hacked. In [42] authors proposed a lightweight, stable execution environment for these types of devices.
5. Mobile: Several IoT devices are portable and switch from network to network. As an example, a smart vehicle that collects street data when driving from one place to another. If the attacker injects the code by mobile devices, the device configuration or activity is changed.
But the change of device configuration is very difficult special when the network portability is configured on your device. The chances of attack are decreased in portability.
2.4.1 NB-IoT
Narrowband IoT is an invention of LPWAN radio that enables a wide range of devices and services to be linked to the transmission band of cel- lular media , specifically designed for IoT and standardized by 3GPP [43] , as discussed in the delimitation section of Chapter 1. NB-IoT is designed to transmit a small batch of data provided by low power and a less verbose IoT devices that transmits several bytes of data per day. NB-IoT operates at 880-960MHz and 791-832KHz [44] respectively. In any case, there are many NB-IoT confines on which an attacker can focus. As introduced in 3GPP Release-13, the reason for NB-IoT is to step forward indoor range of 20dB compared to the legacy GPRS devices, to help at least 52547 low- throughput devices, to reduce the complexity and efficient power consump- tion with a battery life of 5 Watt 164 dB MCL battery capacity target of 10 times long time. As shown in figure 10 [44], NBIoT can be deployed in stand-alone mode, in-band mode and in the guard band of an existing LTE carrier.
Given the current LTE system where NB-IoT is supported by a parcel of LTE cells, the problem arises when the gadgets must be served by a leading NB-IoT cell that is distant from the device, but the most grounded LTE cell is near the devices as shown in figure 10. In this case, coverage is compli- cated and there is a critical path from the serving cell to misfortune that shown in figure 11. Due to low SINR and range problem we observed the LTE cell interference in NB IoT. NB-IoT endures from co-channel interfer- ence. Regardless of the fact that challenging Physical Resource Block (PRB) is a method to avoid co-channel interference when synchronization occurs between cells at the subframe stage.
There are a few open issues and vulnerabilities that need to be resolved.
The NB-IoT plan is to significantly enhance massive heterogeneous devices
Figure 10: NB-IoT deployment [44]
Figure 11: Partial Deployment of NB-IoT [44]
and different applications that change prerequisites such as idleness, reli- ability, bandwidth. The heterogeneous nature of the IoT makes it a chal- lenge to establish a structure. Security and protection are another problem for IoT users. The same issue is with NB-IoT due to the acceptability of listening in attack after the PF radio channel gap. In addition, the limited design of the device and limited transmission capabilities of NB-IoT make it more difficult to run a feasible security system by simple calculations, as most of the techniques require sufficient battery and handling control for message trading. Ancient vitality management and control innovation with a complicated NB-IoT channel is also a major issue and vitality capability [45] [46]. Another issue with NB-IoT is that with larger packet sizes, the
S11-U interface could crash.
2.4.2 Protocol Vulnerabilities in IoT
IoT uses a variety of network communication to work with heterogeneous service. Wi-Fi, Bluetooth, Z-Wave, IEEE 802.15.4 and LTE are examples of IoT conventions. There are also some basic communication developments in IoT, such as Ultra-Wide Bandwidth (UWB), Near Field Communication (NFC) and RFID. Prior to the use of these protocols, potential threats in IoT conventions should be notable. As shown in figure 12, IoT basic conventions are presented first and their vulnerabilities are explained below.
Figure 12: IoT Protocol Stack 1. CoAP (Constrained Application Protocol)
The lightweight CoAP is an application layer convention clearly de- fined by IETF for restricted devices. In the client server architec- ture, this convention can be coordinated with GET, POST, PUT, and Delete HTTP counting. CoAP runs over UDP while with low over- head, and multicast communication is also enabled. It has two types of CON (Confirmable) and NON (Non-Confirmable) messages with a total length of 1400 bytes and a header length of 32 bits [47].
Datagram Transport Layer Security (DTLS) approved by CoAP is necessary for the protection of messages. Although DTLS is an ad- ditional layer of security for the safety of the application layer, there are ongoing discussions about the containment of DTLS. DTLS CoAP issues include a comprehensive DTLS header that does not fit into IEEE 80.2.15.4 MTU, high handshake, CoAP Intermediate mode con- tradiction, and toll-based computing.
The test performed in [48] shows that DoS attacks can be activated more than once by sending CoAP requests to a border switch in a smart home. As a result, 75% of the legitimate packets are misplaced by sending malicious requests every 500 ms, and the effectively pack- ets are destroyed by CoAP flooding. So, no effect on communication is observed under the DoS attack by empowering the protected mode of the transceivers.
2. MQTT (Message Queuing Telemetry Transport)
MQTT is a message protocol that connects devices to middleware and applications using a broker-based publish-subscribe protocol. In the publish-subscribe process, messages are transmitted from a provi- der to a subscriber based on a message parameter. In MQTT, the provider operates over TCP and transfers the message through three QoS phases. The supplier, the subscriber and the broker are three MQTT elements. For IoT and M2M (Machine to Machine) commu- nication, MQTT is an appropriate message convention requiring low capacity, memory and low transfer speed [49].
Figure 13: MQTT in IoT [50]
In the MQTT system, Ahmad et al [51] categorized IoT risk opera- tors into four groups:
3. Malicious Internal User: The client has legal access to the device and uses the device for malicious purposes. The malicious user who gets access to the MQTT broker may also give risk to attacks. Curi- ous User: The client or analyst in the IoT environment who wants to find the hole and vulnerabilities. Bad Manufacturer: The maker who takes off the open portal for the aggressors to get information about the devices or users to get access of device remotely. In order to dis- patch an attack or collect sensitive information, the enemy will inject a malicious code into the MQTT client or broker at that point. Exter- nal Attacker: Master programmer who performs malicious activity on any part of the MQTT-based framework.
Attackers in the MQTT-based IoT environment can submit DoS, spoof character, disclosure of information, privileges and alter infor- mation of data. Disturbing broker services can cause DoS within the
MQTT system, where the main task of the broker is to deliver mes- sages from the distributor to the subscribers. Attackers also trigger DoS by draining the MQTT client and broker by sending messages larger than 256 MB, which is the MQTT’s most extreme payload mea- sure. In addition, TCP focuses on MQTT, and TCP attacks such as consumption of bandwidth, SYN flood, etc. in DoS attacks. An unse- cured MQTT broker can generate a variety of IoT vulnerabilities. For example, the transfer of all information or confidential information to the public and the modification of the data stored in the broker or the launch of the DoS [52] may lead to an out-of-chance for the aggres- sor to hit a compromised broker. Despite the fact that MQTT relies on SSL / TLS for the security component, it is costly to enforce it on devices [53].
4. AMQP (Advanced Message Queueing Protocol)
A lightweight M2M communication protocol, that reinforces the pub- lication subscription architecture and requests for response. The AMQP system provides an “exchange” word for distributors and supporters to find them. The subscriber then makes the “queue” and attaches it to the “exchange” and by “binding” the trade messages must stick to the line. AMQP, like MQTT, runs over TCP and uses SSL / TLS and SALS for stability. It is connection-oriented and is known as a strong and stable protocol [54]. AMQP uses SSL / TLS-based TCP- based transmission encryption, there are still vulnerabilities that an attacker can use to intercept IoT communication. Because TCP / IP is a key protocol for AMQP, attackers have already misused TCP vul- nerabilities in many ways. In addition, AMQP is also susceptible to IoT frameworks [55].
5. XMPP (Extensible Messaging and Presence Protocol)
This protocol is based on XML (Extensible Markup Language) and provides real-time communication. XMPP can be configured as a client server and run on a TCP / IP stack. Since XMPP is based on XML, it can be used in a number of customized applications, such as time reporting, notification, communication between devices, objects, actu- ator sensors, etc. XMPP uses SASL and TLS [56] for secure authenti- cation and encryption purposes.
In [53], authors state that XMPP has failed to provide end-to-end se- cured communication for the deployment and implementation of IoT.
Unreliable XMPP is defenseless against attacks such as sniffing of password, unauthorized access to servers, embedding, erasing, replay- ing, and even more attacks.
6. ZigBee
The ZigBee is a set of communication protocols for transferring a low data rate in short range wireless network. The hundreds of com- panies of ZigBee Alliance [57] developed the ZigBee standard. Physi- cal Layer and Medium Access layer protocols are adopted by ZigBee.
Mostly ZigBee device frequency band is based on wireless range 868 MHz, 915 MHz, and 2.4 GHz. 250 K bits per second is a maximum data rate of ZigBee devices.
The ZigBee devices mainly is on battery power that consumes low power, low data rate and low cost, but the main requirement is bat- tery life. The total time that ZigBee applications spend with wireless devices are very limited, mostly the devices are in power saving mode, that is also called sleep mode. Due to this feature ZigBee devices can retain the battery life for several years [58].
Figure 14: Some Applications in ZigBee [59]
As an example of ZigBee is home based monitoring system of pa- tient. In the home monitoring system, the patient’s heart rate and blood pressure is monitored with wearable devices. The wearable devices relate to different sensors via ZigBee. All patient data is transmitted to the local server, i.e. a local personal computer. From this personal computer, data is initially analyzed inside the patient’s home. For the final decision, the data is transferred to patient’s physi- cian for further analysis on data [58].
The transmission is received in wireless network by any of devices.
The devices are bluetooth enable or any other devices. If the intruder’s
device is in the network, it will listen all the sensitive information via transmitted messages. The confidentiality problem is solved by ap- pling some encryption algorithm on the messages. IEEE 802.15.4 en- crypts the ongoing messages by Advanced Encryption Standard (AES) [58].
7. 6loWPAN
The 6LoWPAN (IPv6 over Low-Power Wireless Personal Area Net- work) is designed as physical layer and communication layer for MAC by IETF for low control and lossy systems that are compatible with IEEE 802.15.4 standard. The 6LoWPAN devices are known for their smaller bit rate, fast run, computational control of low power, and low-cost memory. Authors in [60] investigated the discovery of vulner- abilities in 6loWPAN using fuzzing methodology using Scapy. Fuzzing can be a highly automated method that is widely used to detect unex- pected error and flaws in network protocols that can be misused by an attacker.
Authors [61] propose that an attacker can misuse 6loWPAN routing mechanism and fragmentation in order to discard the correct prepa- ration of the actual part of the packet. It was considered that the constructed devices with tens of kilobytes of RAM, few MHz of compu- tational power and communication through low power of wireless and 6loWPAN are defenseless against the following attacks: Fragment du- plication attack on the 6loWPAN layer, in which the receiver is unable to distinguish the legitimate fragment from the spoofed fragment and has deal with all the parts it receives, on the same IPv6 that corre- sponds to the 6loWPAN tag and the MAC address of the receiver. For example; in the handshake packet of DTLS protocol the hacker inject the spoofed FRAGNs and inject this fragment to legitimate 6loWPAN packet. The attacker injects random payload with spoofed packet and add this packet in original packet. The attackers will block any packet with inject of fragment.
Another type of attack in 6loWPAN is Buffer Reservation attack, in which the attacker hits the memory of IoT devices. The purpose does not discriminate between the real and the attacking elements of this attack, as opposed to the previous attacks. The aggressor starts a single FRAGE1 with a few abnormal payloads to send a buffer reser- vation attack and coordinates it to the target node. If the target node buffer is not included as of now, the target node will get the FRAG1 that saves the buffer to reassemble the fragment packet of the at- tackers. The attacker either does not send the remaining FRAGNS at that point or saves the buffer resource by intermittently sending the FRAGNs to the timeout estimate of the target node. Therefore, no other part of packet can be processed for the function. The attackers identify their target node via the guide section used in 6loWPAN [61]
for both buffer reservation and fragment duplication of attack.
In another recent research [62] that classifies the safety risks of 6loWPAN as an end-to-end and hop-to-hop attack. The hop-to-hop attacks of 6loWPAN systems are triggered by inner malicious nodes that are harmed. This form of attack is attacked by radio hops, phys- ical link and routing discovery process. Tempering, battery exhaus- tion, wormhole, jamming, spoofing and selective forwarding attacks are triggered by unprotected equipment and the ability of the attacker to control the 6loWPAN layer. The end-to-end attack on WSN IPv6- based systems is caused by unauthorized external hardware. Attack- ing the end-to-end link is harmful to the whole network. End-to-end security is necessary because the hardware performs reassembly in IPv6 and bundle fragmentation to maintain a strategic distance from bundle modification and to reassemble the components. The attack of this group takes place between the end of IPv6 and the 6loWPAN boundary switch. Overwhelming the edge router, for example, by gen- erating large amounts of activity or impeding communication by in- fusing incorrect messages within the border router.
8. 802.15.4 Standard
The IEEE 802.15.4 physical layer standard is also becoming popu- lar with IoT development due to the use of low power. However, reli- able data communication could be a major challenge in the low power consumption protocol. Various approaches have been implemented to provide reliable communication over the different layers of the proto- col stack. These approaches are secure, which is a physical layer and upper layer encryption, and theoretical information security, which can be achieved through physical layer security strategies. The strate- gies for physical layer encryption rely on the information modulation.
At various protocols, sharing of security plans is for upper-level se- curity, such as end-to-end encryption, but they also do not prevent risks and attacks such as flood attacks, DoS and traffic inspections [63]. 802.15.4 is enabled by the MAC layer that offers security ser- vices such as confidentiality and integrity. However, these services may be achieved at the cost of the use of power, which is not easy for 802.4.15. For the transmission of secure data, a strategy for steganog- raphy method is proposed [64]. Low data rate over convert channel is a big drawback of this method.
2.5 What is DDoS
DDoS stands for ‘Distributed Denial-of-Service’ and it is a kind of DoS (Denial-of-Service) where the intruder performs a attack through several locations from different sources simultaneously. DoS attacks are most driven by directing or shutting down a specific resource, and one method of oper- ation is to exploit a system deficiency and cause failure of processing or saturation of system resources. Another way to targeting the infected sys- tem is to flood and monopolize the system, thereby refusing the use of it by someone else [18]. The rejection of accessing or coordinating the infected
device is what characterizes and categorizes the attack as DoS . It is im- portant to remember that the attacker has to install the agent code on any resource or device that supports it, in order to have a infiltration point in the targeted system, regardless of being IoT devices, servers, network com- ponents and any mobile device [18].
Figure 15: DDoS Attack [65]
DDoS is carried out simultaneously by sending a critical number of re- quests via botnets and compromised IoT devices to undermine the comput- ing resource of the target (Transmission Capability and Bandwidth). Bots can be either malicious customers who are expressly legitimate or attack customers who are affected [66].
2.5.1 DDoS attacks, an overview
Authors [67] claim that battery, computation, memory and radio trans- mission capability are limited in IoT devices. In this way, it is not easy to enforce security actions that involve a massive communication stack and more computing resources. The IoT devices, services and supporting net- works cannot withstand such type of attacks such as DDoS, spoofing, jam- ming man-in-the-middle, and privacy. Authors also suggest the usage of machine learning techniques, that is important for finding the vulnerabil- ity and security threats in IoTs.
As most of the threats in IoT come from risky IoT devices, a network- based technique for detecting infected IoT devices has been suggested in [18]. The method suggested is accomplished by researching the two Mirai and BASHLITE malware families. With the help of ISP accessible tools such as NetFlow, DNS capturing analyzer, packets capturing, it is possible to detect and analyze the malware. The main objective of the authors is to
discover the common properties, techniques and malware phases that de- tect the weaknesses of IoT. The four stages that every IoT malware followed in their life cycle are given in figure 16.
• Scanning: Testing is carried out by filter engines to detect the vul- nerabilities of hosts. Random IPv4 subnets are checked and most of the time port 23 running the Telnet daemon is the target, often port 2323 and all other ports running that running the different services are scanned.
• Attacking: It is a very common property in IoT malware devices.
Most of the time the attacker sees the default username and password such as ”admin / admin” or ’root/root’ and attack on the IoT devices.
The attack is also exploited these devices by using the TR-064 and TR-069 services.
• Infection: It is conducted in a number of ways, such as getting to HTTP(wget), TFTP [68], and over Telnet. The malware is downloaded in this way by using the C binary compiler code and infected the scanned device.
• Abuse: DDoS attacks are carried out by IoT botnets. SYN and SYN / ACK flood, TCP and UDP flood, and HTTP attacks are included in the bulk of DDoS attacks.
Figure 16: Attack Life Cycle [18]
As per authors, attacks on compromised IoT devices take place after fol- lowing the same life cycles and can be mitigated at the ISP level by the said
system. Attacker issues DDoS attacks from the cloud by leasing virtual ma- chines as they have higher processing capacity and cannot be tracked back by these machines. DDoS security applied on both direction, i.e. source or destination end. Attacks can be described as within the target side defense system when it comes to the target, which is one of the disadvantages of this type of defense. However, by comparing approaching and active ac- tivity to identify DDoS attacks through D-WARD [69], MULTOPS [70] and MANAnet [71] frameworks, the source side security frameworks underlie the destination side defense.
The authors in [72] proposed a DDoS machine learning detection system that would include one pre-trained module to detect suspicious activities inside virtual machines and another online learning module to revise the pre-trained module. The structure is tested against TCP SYN, ICMP, DNS reflection and SSH brute-force attacks on nine separate machine learning algorithms and described as machine learning highlights. The finding re- sult is the 93 percent accuracy by using the supervised approach in machine learning algorithm such as Na¨ıve Bayes, SVM and Decision Tree although the machine learning for the unsupervised method is not examined.
Automated machine learning-based security against DDoS Attacks is im- plemented in [73]. Instead of using source or destination side detection or protection the authors propose an automated effective defense system that monitor’s resource utilization by using Neural Networks for anomaly detec- tion. This approach is used by professionals to report the use of properties to detect the anomalies.
As there is no consensus on what traffic considered anomaly, typical fea- tures of DDoS attacks, such as layer 3 IP header, layer 4 TCP header and layer 7 HTTP specifications are extracted highlights for machine learning.
The assessment of machine learning techniques is then ready to distinguish attacks on the basis of the knowledge obtained in these three highlighted features in both usual and abnormal circumstances. It is believed that the trained algorithm calculation would detect and drop harmful packets that have recently damaged the structure some time ago. The NCTUNS net- work test system was used to test this method.
2.5.2 DDoS Direct and Indirect attacks
As in Figure 17, a DDoS attack can be divided in two ways, either di- rect or indirectly. In a direct attack, the attacker explicitly sends a bundle of packets to the targeted machine in the direct network. However, in the indirect attack the intruder sorts to an indirect server and attacks the vic- tim through the source IP via a reflective server. The attacker sends the spoof IP to the reflector server, and the reflector server sends the response to the target. Also, in a direct attack, the victim gets the packets with the same payload as the attacker sends, while in an indirect attack the reflect- ing server opens a request from the attacker and sends an answer to the victim. As an example, if the intruder sends 1Mb/s, the attacker can use an
Figure 17: Direct and Indirect Attacks [74]
increase in the number of packets and/or the transfer payload, and the re- flector can submit more than the amount of the packets to the target victim [74]. In a complex reflective attack, the uses can expert center as well as a boot called a handler that controls 100 Zombies in a botnet, as can be seen in Figure 18.
Figure 18: Complex Reflection Attack [74]
2.5.3 How attackers launch a DDoS attack
At first, attackers can discover vulnerabilities in one or more IoT devices to execute a malicious program to send a DDoS attack. At that point, the at- tacker formed a huge collection of geographically dispersed zombies called the botnet. Any zombie set requires a handler that could be a huge num- ber software packeges over the internet. Since they have data on complex zombies, they deal directly with attackers and zombies. When the attack is launched, the attackers direct it to the zombie handlers, who will transmit the attack to all the zombies. At that point, the zombies will attack the tar- get structure. Because of the nature of these attacks the management and channeling of DDoS attacks triggered by IP spoofing is difficult to handle [75] [76] still to this day.
2.5.4 DDoS attack types
As shown in Figure 19, attacks by DDoS are primarily divided into three groups, as an attack can be deployed on different layers. In multiple layers, the attacker exploits the weakness of individual ports. For example, in UDP flood the attacker overrun the target host random port with UDP. In the meantime, that host checks that there is no place for that port to listen on this specific application. Host replies with ICMP ’Destination Unreachable’
error. Due to consumption of these host resource, the host unable to its legitimate user. Protocol attacks such as Ping of Death (PoD) and Smurf control the sending of harmful pings to a computer by means of the Internet Protocol [77].
Figure 19: DDoS Attack Types [75]
The attacker can also use the Ping Search technique to find possible ca- sualties, and the TCP SYN or ACK, UPD and ICMP are the most common Ping Scans. When the firewall and ACL rules are less restrictive against LANs or run inside IP addresses, ICMP checks are successful. In any case, UDP Filter is useful when unsolicited UDP service and ICMP departure traffic is not blocked within the Firewall. Successfully search against a stateless firewall in the case of TCP that does not reject random ACK pack- ets [78].
2.5.5 UDP attack
The attacker sends huge UDP packets to the target victim in a UDP attack.
The system that is used by the host will attempt to locate the application in that port. If any service or program is not running on that port, an in- accessible ICMP message is received to the source of the attacker. Since the attacker continually sends UDP packets and has to keep up reacting to ICMP unreachable message, the message will lead to network connection
overloadin the long run, the victim machine will not be able to reply to its legitimate user. Due to the stateless nature of the UDP convention, attack- ers effectively dispatch UDP flood attacks by spoofing themselves. How- ever, a few Operating Systems have ability to avoid UDP flood by limiting the number of responses [79].
2.5.6 Detection of DDoS Traffic
Various techniques have been used to distinguish DDoS attacks by cate- gorizing the operation of the arrangement, such as [80] [81] [82] [83]. Ex- tending the QoS, improving network management and network security are some of the reasons for the classification of activities. Even though, there is a one-way flow of activity or a bi-directional flow of activity, the classi- fication can be either. The unidirectional stream is the organized packet stream from a must to a five-fold server that includes the source IP and port, the target IP and port, and the transport layer protocol. Whereas the bidirectional stream considers the packet of traffic sent and received between hosts.
Pattern discovery can be an instrument that identifies attacks by recog- nizing the signature of known attacks. Pattern position systems are often used as a virus detection system. Snort detecting the attack by using the attack signature, it is one of the good detecting systems [84]. In either case, Payload Inspection and Machine Learning-based behavior detection are the two feasible approaches for DDoS detection.
2.6 Machine Learning
Several machine learning techniques have been used to detect DDoS at- tacks. Each approach is distinguishing between the distinctive DDoS at- tacks and different results that based on the data properties of the algo- rithm. For example, Manjula et al. [85] shows that the measurement of Fuzzy C-Means in unsupervised clustering processes perform much better on the basis of twenty-three extricated attributes compared to others algo- rithms.
A one-of-a-kind solution with a range of features to recognize all kinds of DDoS attacks is still not available. Due to massive amount of network data, it is difficult to recognize if the generated data is done by legitimate users or from real-time attack. Peter et al. [75] tests show that the Long Short-Term Memory Recurrent Neural Network (LSTM RNN) deep learning approach gives impressive results for detecting a DDoS attack in a network. The choice of supervised or unsupervised machine learning algorithms depends on specific parameters, such as the volume and structure of information and the form of DDoS. Five machine learning approaches for detecting DDoS attack in IoT are described below.
