Periodic Reporting for period 1 - REACT (A Simulation-based Framework for Measuring and Modeling the Impact of Attacks on 6G-enabled Massive IoT Networks)
Reporting period: 2022-09-01 to 2024-08-31
The new generation of mobile networks whose roll-out is foreseen by 2030, envisions to offer a much wider range of applications comparing to 5G by interconnecting billions of IoT devices such as extended reality devices, wearable displays, drones, and autonomous vehicles. The unprecedented growth of 6G-enabled IoT devices along with the massive emergence of connections in the future 6G communication platforms will increase the security vulnerabilities for the 6G-enabled massive IoT networks, leading to a wide spectrum of known and unknown security threats. At the same time, attackers are becoming more sophisticated and powerful to carry out new types of attacks against the massive IoT networks. Therefore this creates the need for developing advanced security solutions to cater for massive IoT networks, in particular to run on energy constrained IoT devices, that are often battery powered.
Intrusion detection that already constitutes a popular defense technology for traditional IP networks is currently foreseen by industry and research community as a promising security solution that can also play a significant role in protecting IoT networks as long as novel Intrusion Detection Systems (IDSs) tailored to the resource-constrained characteristics of IoT networks have been developed. In particular, considerable research efforts have recently been put into the design and development of lightweight Anomaly-based Intrusion Detection Systems (AIDSs), leveraging Machine Learning (ML) techniques (e.g. SVMs) because of their ability to detect new, previously unknown attacks (e.g. zero-day attacks) in IoT networks. However, although AIDSs are attractive conceptually, they cannot be widely applied in practice as they suffer from high false-positive rate due to the fact that they may classify unseen (i.e. not included in the training dataset) benign instances as malicious. Thus, decreasing the false positive rate of future lightweight AIDSs is critical for their acceptance and wide adoption of massive IoT networks in the coming next years.
Towards this direction, the main research focus is on the feature selection process. Nevertheless, the efficacy of feature selection highly depends on the quality (i.e. relevant, informative) of the initial set of raw features used for the generation of training/testing datasets. Consequently, the identification of effective raw features (i.e. relevant and informative) is of utmost importance to enhance the feature selection process in order to select the subset with the most significant features that will lead to robust AIDSs with reduced false-positive rate. However, so far and to the best of knowledge, raw features for IoT AIDSs are identified through empirical processes relying on the researchers/engineers’ expertise and practical experience in the implementation peculiarities (e.g. underlying functionality, protocols and devices) of the IoT networks where the developed AIDSs will be deployed to protect. In other words, there is a lack of a formal structured process to enable a more reliable, efficient and holistic identification of effective raw features, taking into account the impact of attacks on the performance of the targeted IoT network as the impact on the performance is closely related to implementation peculiarities of the IoT network. In fact, very effective features for improving the detection capabilities of AIDSs can be derived from metrics related to the impact of attacks on the performance of the targeted IoT network and thus, it is essential and at the same time challenging the quantification of the performance of the operation of the IoT network under attack in order to measure the actual impact and “translate” it to proper attack impact metrics (e.g. throughput, response time).
Intrusion detection that already constitutes a popular defense technology for traditional IP networks is currently foreseen by industry and research community as a promising security solution that can also play a significant role in protecting IoT networks as long as novel Intrusion Detection Systems (IDSs) tailored to the resource-constrained characteristics of IoT networks have been developed. In particular, considerable research efforts have recently been put into the design and development of lightweight Anomaly-based Intrusion Detection Systems (AIDSs), leveraging Machine Learning (ML) techniques (e.g. SVMs) because of their ability to detect new, previously unknown attacks (e.g. zero-day attacks) in IoT networks. However, although AIDSs are attractive conceptually, they cannot be widely applied in practice as they suffer from high false-positive rate due to the fact that they may classify unseen (i.e. not included in the training dataset) benign instances as malicious. Thus, decreasing the false positive rate of future lightweight AIDSs is critical for their acceptance and wide adoption of massive IoT networks in the coming next years.
Towards this direction, the main research focus is on the feature selection process. Nevertheless, the efficacy of feature selection highly depends on the quality (i.e. relevant, informative) of the initial set of raw features used for the generation of training/testing datasets. Consequently, the identification of effective raw features (i.e. relevant and informative) is of utmost importance to enhance the feature selection process in order to select the subset with the most significant features that will lead to robust AIDSs with reduced false-positive rate. However, so far and to the best of knowledge, raw features for IoT AIDSs are identified through empirical processes relying on the researchers/engineers’ expertise and practical experience in the implementation peculiarities (e.g. underlying functionality, protocols and devices) of the IoT networks where the developed AIDSs will be deployed to protect. In other words, there is a lack of a formal structured process to enable a more reliable, efficient and holistic identification of effective raw features, taking into account the impact of attacks on the performance of the targeted IoT network as the impact on the performance is closely related to implementation peculiarities of the IoT network. In fact, very effective features for improving the detection capabilities of AIDSs can be derived from metrics related to the impact of attacks on the performance of the targeted IoT network and thus, it is essential and at the same time challenging the quantification of the performance of the operation of the IoT network under attack in order to measure the actual impact and “translate” it to proper attack impact metrics (e.g. throughput, response time).
REACT Objectives and Progress
OBJECTIVE 1: Development, validation and integration of attack components for reliable simulation implementations of UDP flooding attacks and RPL attacks (e.g. sinkhole, wormhole, sybil and replay)
REACT Progress
• Provided new insights into threat model development for 6G-enabled massive IoT attack scenarios
• Implemented and validated key attack components (e.g. attacker/compromised nodes) for the proposed Cooja- based framework in order to enable researchers/engineers to reliably and easily implement simulations of various IoT attacks. Three models were delivered that include: UDP flooding attack, Sinkhole attack, and Blackhole attack.
OBJECTIVE 2: Quantification of the impact of attack on the performance of massive IoT networks and identification of attack impact metrics (e.g. high energy consumption, high packet dropping ratio).
REACT Progress
• Provided new datasets to reflect networking performance and attack metrics emanating from the UDP flooding attacks for the Cooja- based framework.
OBJECTIVE 3: Modeling the behavior of attacks targeting massive IoT networks.
REACT progress
• Implemented and delivered five Machine Learning (ML)-based attack detection models for modelling UDP flooding attacks behaviour, these include: Logistic Regression (LR), K-Neighbors Classifier (KNN), Classification and Regression Trees (CART), Gaussian Naïve Bayes (NB), and Support Vector Machine (SVM). This will allow researchers to analyse and get a comprehensive understanding of the behavior of attacks over time in order to extract design specifications for more robust AIDSs.
OBJECTIVE 4: Identification of 5 (at least) effective raw features for robust AIDSs with low false-positive rate.
REACT Progress
• New datasets to reflect three raw features emanating from UDP flooding attacks that were identified as the most influential towards enhancing the AIDS (Anomaly-based Intrusion Detection Systems). These included the following impact attack metrics: packet loss, duty-cycle, and packet send period.
OBJECTIVE 1: Development, validation and integration of attack components for reliable simulation implementations of UDP flooding attacks and RPL attacks (e.g. sinkhole, wormhole, sybil and replay)
REACT Progress
• Provided new insights into threat model development for 6G-enabled massive IoT attack scenarios
• Implemented and validated key attack components (e.g. attacker/compromised nodes) for the proposed Cooja- based framework in order to enable researchers/engineers to reliably and easily implement simulations of various IoT attacks. Three models were delivered that include: UDP flooding attack, Sinkhole attack, and Blackhole attack.
OBJECTIVE 2: Quantification of the impact of attack on the performance of massive IoT networks and identification of attack impact metrics (e.g. high energy consumption, high packet dropping ratio).
REACT Progress
• Provided new datasets to reflect networking performance and attack metrics emanating from the UDP flooding attacks for the Cooja- based framework.
OBJECTIVE 3: Modeling the behavior of attacks targeting massive IoT networks.
REACT progress
• Implemented and delivered five Machine Learning (ML)-based attack detection models for modelling UDP flooding attacks behaviour, these include: Logistic Regression (LR), K-Neighbors Classifier (KNN), Classification and Regression Trees (CART), Gaussian Naïve Bayes (NB), and Support Vector Machine (SVM). This will allow researchers to analyse and get a comprehensive understanding of the behavior of attacks over time in order to extract design specifications for more robust AIDSs.
OBJECTIVE 4: Identification of 5 (at least) effective raw features for robust AIDSs with low false-positive rate.
REACT Progress
• New datasets to reflect three raw features emanating from UDP flooding attacks that were identified as the most influential towards enhancing the AIDS (Anomaly-based Intrusion Detection Systems). These included the following impact attack metrics: packet loss, duty-cycle, and packet send period.
How does REACT go beyond state of the art ?
Therefore, the goal of REACT is to go beyond the state-of-the-art of current empirical approaches and fill the significant research gap of the lack of a formal structured process for identification of effective raw features for robust IoT AIDSs by developing a simulation-based framework for measuring and modeling the impact of attacks on 6G-enabled massive IoT networks. The framework has to be decided to be simulation-based in order to exploit the benefits of a software-based IoT network simulator as quantifying the performance of the operation of a massive IoT network under attack in a real-world environment is extremely challenging and realistically unfeasible. However, although there are several software-based IoT network simulators, such as OMNeT++, Cooja, and NS-3, they are not suitable for the proposed framework, because they lack built-in support for simulation implementations of IoT attacks in a systematic way which is essential for their reliable simulation and measuring of their impact. It is noteworthy to say that in order to overcome this limitation, the current approach followed by the IoT security community is the manual integration of custom extensions to existing simulators, such as NETA for OMNeT++ and RPL attacks for Cooja. Yet, this approach has led most of the current simulations of IoT attacks to be implemented in different simulation tools by different researchers independently, without considering common implementation principles and without having a common ground for benchmarking. Moreover, these simulation implementations do not usually become publicly available to the IoT security community for reproducible experimentation and reusability purposes. Thus, IoT security researchers have to “reinvent the wheel” every time they want to simulate an IoT attack scenario.
In particular, the proposed framework will provide a reliable and easy configurable simulation environment allowing the study and evaluation of attacks against massive IoT networks in a systematic way, and a security tool for (i) measuring and modeling the impact of attacks on massive IoT networks, enabling the identification of effective raw features developing robust AIDS with low false-positive rate, and (ii) development of attack behavior models based on the generated network traffic and the log files of the IoT devices of the simulation scenarios where massive IoT networks are under attacks. Thanks to attack behavior models, the impact of attacks will be known a priori and thus, more informative decisions will be taken during the development and evaluation phases of not only more effective AIDSs, which are the main focus of this proposal, but also for other types of security solutions.
Therefore, the goal of REACT is to go beyond the state-of-the-art of current empirical approaches and fill the significant research gap of the lack of a formal structured process for identification of effective raw features for robust IoT AIDSs by developing a simulation-based framework for measuring and modeling the impact of attacks on 6G-enabled massive IoT networks. The framework has to be decided to be simulation-based in order to exploit the benefits of a software-based IoT network simulator as quantifying the performance of the operation of a massive IoT network under attack in a real-world environment is extremely challenging and realistically unfeasible. However, although there are several software-based IoT network simulators, such as OMNeT++, Cooja, and NS-3, they are not suitable for the proposed framework, because they lack built-in support for simulation implementations of IoT attacks in a systematic way which is essential for their reliable simulation and measuring of their impact. It is noteworthy to say that in order to overcome this limitation, the current approach followed by the IoT security community is the manual integration of custom extensions to existing simulators, such as NETA for OMNeT++ and RPL attacks for Cooja. Yet, this approach has led most of the current simulations of IoT attacks to be implemented in different simulation tools by different researchers independently, without considering common implementation principles and without having a common ground for benchmarking. Moreover, these simulation implementations do not usually become publicly available to the IoT security community for reproducible experimentation and reusability purposes. Thus, IoT security researchers have to “reinvent the wheel” every time they want to simulate an IoT attack scenario.
In particular, the proposed framework will provide a reliable and easy configurable simulation environment allowing the study and evaluation of attacks against massive IoT networks in a systematic way, and a security tool for (i) measuring and modeling the impact of attacks on massive IoT networks, enabling the identification of effective raw features developing robust AIDS with low false-positive rate, and (ii) development of attack behavior models based on the generated network traffic and the log files of the IoT devices of the simulation scenarios where massive IoT networks are under attacks. Thanks to attack behavior models, the impact of attacks will be known a priori and thus, more informative decisions will be taken during the development and evaluation phases of not only more effective AIDSs, which are the main focus of this proposal, but also for other types of security solutions.