Paper Info
Title
Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns.
Abstract
The resource-constrained and heterogeneous nature of Internet-of-Things (IoT) devices coupled with the placement of such devices in publicly accessible venues complicate efforts to secure these devices and the networks they are connected to. The Internet-wide deployment of IoT devices also makes it challenging to operate security solutions at strategic locations within the network or to identify orchestrated activities from seemingly independent malicious events from such devices. Therefore, in this paper, we initially seek to determine the magnitude of IoT exploitations by examining more than 1 TB of passive measurement data collected from a/8 network telescope and by correlating it with 400 GB of information from the Shodan service. In the second phase of the study, we conduct in-depth discussions with Internet Service Providers (ISPs) and backbone network operators, as well as leverage geolocation databases to not only attribute such exploitations to their hosting environment (ISPs, countries, etc.) but also to classify such inferred IoT devices based on their hosting sector type (financial, education, manufacturing, etc.) and most abused IoT manufacturers. In the third phase, we automate the task of alerting realms that are determined to be hosting exploited IoT devices. Additionally, to address the problem of inferring orchestrated IoT campaigns by solely observing their activities targeting the network telescope, we further introduce a theoretically sound technique based on L1-norm PCA, and validate the utility of the proposed data dimensionality reduction technique against the conventional L2-norm PCA. Specifically, we identify “in the wild” IoT coordinated probing campaigns that are targeting generic ports and campaigns specifically searching for open resolvers (for amplification purposes). The results reveal more than 120,000 Internet-scale exploited IoT devices, some of which are operating in critical infrastructure sectors such as health and manufacturing. We also infer 140 large-scale IoT-centric probing campaigns; a sample of which includes a worldwide distributed campaign where close to 40% of its population includes video surveillance cameras from a single manufacturer, and another very large inferred coordinated campaign consisting of more than 50,000 IoT devices. The reported findings highlight the insecurity of the IoT paradigm at large and thus demonstrate the importance of understanding such evolving threat landscape.
Year
DOI
Venue
2019
10.1016/j.diin.2019.01.014
Digital Investigation
Keywords
Field
DocType
IoT forensics,Big data,Probing,Network telescopes,Network forensics,L1-norm PCA
Hosting environment,Network telescope,Population,Software deployment,Computer security,Computer science,Geolocation,Critical infrastructure,Backbone network,The Internet
Journal
Volume
Issue
ISSN
28
Supplement
1742-2876
Citations 
PageRank 
References 
2
0.37
6
Authors
6
Name
Order
Citations
PageRank
Morteza Safaei Pour141.09
Elias Bou-Harb220726.40
Kavita Varma320.37
Nataliia Neshenko4262.23
Dimitris Pados520826.49
Kim-Kwang Raymond Choo64103362.49