1 of 52

2 of 52

IoT Spy: Telemetry for Security Metrics

Xenia Mountrouidou

Network Automation Engineer

Network to Code

3 of 52

Challenges in IoT Security

Solution: IoT Spy

Security Metrics for IoT

Implementation

Visualizations

Demo

Recap

Agenda

4 of 52

Challenges in IoT Security

(Image Credit: The Connectivist)

5 of 52

Challenges in IoT Security

(Image Credit: The Connectivist)

6 of 52

Challenge: Security metrics

Measure the unknown
Moving target
Security is a set of attributes

Prior work:

Quantified Security is a weak hypothesis - Verendel
NIST Common Vulnerability Scoring System (CVSS)
How to measure everything - Hubbard, Cronin
Security Metrics: replacing fear, uncertainty, and doubt

7 of 52

Solution: IoT Spy

Open Source tcpdump streaming solution: https://github.com/mundruid/iot_spy

Collect live tcpdump data from access point
Create metadata based on MAC address
Output data to Influx db TSDB

8 of 52

Solution: IoT Spy

Novel security metrics based �on tcpdump streaming
Exploratory analysis using Grafana �Dashboards
Telegraf Influx Grafana (TIG) Stack �

https://github.com/mundruid/iot_spy

9 of 52

Solution: IoT Spy

Telemetry stack

Telegraf - collector
Influxdb - database
Grafana - Visualization

Security Metrics for IoT
Alerting with slack

10 of 52

Solution: IoT Spy

Extensible & Configurable

devices.json: input any device �(key, value) = (MAC, device_name)
tcpdump_fields.json: input empty �dictionary with all the fields we want to collect

11 of 52

Security Metrics for IoT

12 of 52

Security metrics vs telemetry metrics

Security metrics	Telemetry metrics
Reduce uncertainty	Specific Values
Probabilistic	Deterministic
Set of measurements lead to a score	Single measurement

13 of 52

IoT Spy Metrics

Security Metric	IoT Feature	CIANA Principle
# of inbound connections	Communication	Confidentiality, Availability
# of outbound connections	Communication	Confidentiality
# of active services	Communication, purpose, mobility	CIA & Safety
packet statistics: length & interarrival	Communication, purpose, mobility	Availability

Not just another Internet of Things taxonomy: A method for validation of taxonomies

X Mountrouidou, B Billings, L Mejia-Ricart - Internet of Things, 2019

14 of 52

How do our metrics apply to security?

Security pillars

Confidentiality - Need to know
Integrity - Information accuracy
Availability - Timely access to services
Non-repudiation - proof of delivery & senders ID
Authentication - no impersonation

15 of 52

# of inbound/outbound connections

Unscheduled inbound request

�

Unsolicited

Confidentiality

Brute force

�

Scanning

Availability

16 of 52

# of services connections

Open ports

�

Weak passwords

Confidentiality

Integrity

Availability

Safety

IoT Metrics and Automation for Security Evaluation

T Setzler, X Mountrouidou - 2021 IEEE 18th Annual Consumer Communications & Networking, 2021

17 of 52

Packet statistics

Intrusion Detection monitoring metric

Availability
Confidentiality

18 of 52

Architecture - Testbed

Common IoT

Printer
Phone
Webcam
Echo
Smart plug
Smart light

Access Point

Raspberry Pi

SSH tcpdump

JSON formatted data

19 of 52

Tcpdump to JSON

Layers

frame
eth
ip
tcp/udp

20 of 52

Architecture: TIG Stack Overview

Telegraf - agent for collection. Plugins:

Input,
Output,
Processing,
Aggregation

Influxdb - TSDB

Fields
Tags
Timestamps

Grafana

Dashboards
Alerting

21 of 52

Implementation

22 of 52

Collector

Devices

Source of Truth: intended network state
Scanning

Python script

Input: JSON stdin from sshdump
Output influxdb line protocol

Tcpdump data

Ssh to wifi access point
Collect data from wireless �interface

Telegraf docker container

Input: file tail plugin
Output: Influxdb plugin

23 of 52

Architecture - Data Model

Influx TSDB�docker container
Data Model

Measurement
Tags
Fields

tcpdump,dev_src=Alexa,dev_dst=unknown,protocol=UDP port_src=”12345”,port_dst=”53”,ip_src=”10.0.0.30”,ip_dst=”8.8.8.8” 1631669265000000

24 of 52

Data Model

tcpdump,dev_src=Alexa,dev_dst=unknown,protocol=UDP, port_src=12345,port_dst=53,ip_src=”10.0.0.30”,ip_dst=”8.8.8.8” length=80,interarrival=0.023 1631669265000000

measurement

25 of 52

Graphs & Alerting

Grafana docker container
Rows of graphs for clarity

Timeseries
Gauges
Statistics

Slack webhook for alerting

26 of 52

Visualizations

27 of 52

Dashboards

Time Series

Probabilities

CDFs

Tables

Histograms

Exploratory Data Analysis (EDA)

28 of 52

What is EDA?

Maximize insight into a data set
Uncover underlying structure
Extract important variables
Detect outliers and anomalies
Test underlying assumptions

Time series ~= Mean plot

Probabilities, CDFs

==

Probability plots

Reference: https://www.itl.nist.gov/div898/handbook/eda/section1/eda11.htm

Histograms

Tables ~= Block plots

29 of 52

Probabilistic visualizations

A = SELECT count("ip_dst") FROM "tcpdump" WHERE ("port_dst" =~ /^$port_dst$/ AND "device_dst" =~ /^$device_dst$/) AND $timeFilter GROUP BY time(1d) fill(null)

B = SELECT count("ip_dst") FROM "tcpdump" WHERE ("device_dst" =~ /^$device_dst$/) AND $timeFilter GROUP BY time(1d) fill(null)

C = $A / $B

30 of 52

Probabilistic visualizations - Cumulative Distribution

31 of 52

Histograms

32 of 52

Tables

Drill into services (ports)
Frequency of event

33 of 52

Testbed

Common IoT

Printer
Phone
Webcam
Echo
Smart plug
Smart light

Phones

Printers

34 of 52

Demo

35 of 52

Good, bad, ugly

36 of 52

Good, bad, ugly

37 of 52

Good, bad, ugly

38 of 52

Good, bad, ugly

39 of 52

Recap

Novel security metrics for streaming telemetry
TIG stack for visualization, storage, and alerting
Probability used to reduce uncertainty

Future work

Z scores for anomaly detection
Generalize implementation to a Telegraf tcpdump plugin

40 of 52

Thank you

Questions?

41 of 52

42 of 52

Logos & Icons

43 of 52

Grab our logos here:

44 of 52

45 of 52

Grab our logos here:

46 of 52

47 of 52

Grafana Enterprise Data Source Plugins

48 of 52

Diagramming Kit

49 of 52

component

50 of 52

component

51 of 52

Small icon/logo

Medium icon/logo

Large icon/logo

52 of 52

Write Path

Query Path

Control Requests

Distributor

Query/Frontend

Configs API �(optional)

Alertmanager �(optional)

Ingester

Querier

Table Manager

Ruler �(optional)

What you handle

We take it from here

Gateway/Query

Frontend / NGINX

Grafana

Remote Write API

Prometheus

Example Diagram:

Please use 'blank_light' or 'blank_dark' background layout when creating diagrams.

Nodes

Pods

Ingresses

Consul

Results Memcache

Index Memcache

Chunks Memcache

Postgres

BigTable/

Cassandra/

DynamoDB

S3/GCS

(optional)

scrape

jobs