Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe
{"title":"MARS:物联网事件响应的第一道防线","authors":"Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe","doi":"10.1016/j.fsidi.2024.301754","DOIUrl":null,"url":null,"abstract":"<div><p>The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled <em>MARS</em> (Memory Anomaly Recognition System). <em>MARS</em> is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of <em>MARS</em> leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, <em>MARS</em> is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes <em>MARS</em> tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the <em>MARS</em> prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000738/pdfft?md5=09a1fb9a920fb8dccb2a5090d50aa3bd&pid=1-s2.0-S2666281724000738-main.pdf","citationCount":"0","resultStr":"{\"title\":\"MARS: The first line of defense for IoT incident response\",\"authors\":\"Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe\",\"doi\":\"10.1016/j.fsidi.2024.301754\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled <em>MARS</em> (Memory Anomaly Recognition System). <em>MARS</em> is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of <em>MARS</em> leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, <em>MARS</em> is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes <em>MARS</em> tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the <em>MARS</em> prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.</p></div>\",\"PeriodicalId\":48481,\"journal\":{\"name\":\"Forensic Science International-Digital Investigation\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2024-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2666281724000738/pdfft?md5=09a1fb9a920fb8dccb2a5090d50aa3bd&pid=1-s2.0-S2666281724000738-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Forensic Science International-Digital Investigation\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2666281724000738\",\"RegionNum\":4,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281724000738","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
物联网(IoT)设备在家庭、企业和工业领域的普及大大提高了我们收集数据和自动执行任务的能力。尽管这些设备无处不在,但它们的资源明显有限,而且经常缺乏强大的安全防御功能,从而带来了巨大的入侵和网络威胁风险。为了解决这些问题,我们提出了一种专门针对物联网设备设计的新型异常主机入侵检测系统,名为 MARS(内存异常识别系统)。MARS 的设计初衷是作为事件响应框架中的重要组成部分,充当组织网络或系统中潜在安全漏洞的早期检测系统。MARS 的基本架构利用设备内存作为监控系统级事件的关键指标。为了增强其安全性和完整性,MARS 被嵌入了一个可信执行环境--一个微控制器的安全、硬件隔离区域,不受不受信任软件的影响。这种设计选择不仅使 MARS 防篡改,还确保了对设备内存的可靠监控。通过远程服务器上的异常检测算法,可以检测到与既定内存基线的偏差,这表明存在安全隐患。我们在 STM32L562QEI6QU 上对 MARS 原型进行了评估,结果表明我们提出的架构可以实现良好的可扩展性,同时保持内存变化的可信度、准确性和稳健性。
MARS: The first line of defense for IoT incident response
The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled MARS (Memory Anomaly Recognition System). MARS is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of MARS leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, MARS is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes MARS tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the MARS prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
