基于 PUF 和 ML 的混合方法保护基于 MQTT 的物联网系统免受 DDoS 攻击

Ankit Sharma, Kriti Bhushan
{"title":"基于 PUF 和 ML 的混合方法保护基于 MQTT 的物联网系统免受 DDoS 攻击","authors":"Ankit Sharma, Kriti Bhushan","doi":"10.1007/s10586-024-04638-6","DOIUrl":null,"url":null,"abstract":"<p>IoT application uses MQTT, an application layer protocol that facilitates machine-to-machine communication using a central entity called broker. The vulnerability lies in the broker being susceptible to intrusion attempts, where a potential attacker might engage in a Distributed Denial of Service attack. Such an attack involves repetitively transmitting large number of malicious messages or counterfeit connect requests. To send large messages, the attackers must breach the authentication process of MQTT. MQTT employs two authentication approaches to safeguard its system: certificate-based and credential-based authentication. Credential-based authentication is popular as it is easy to implement. However, in MQTT, credential-based authentication is vulnerable to various attacks as credentials are transmitted in plain-text form. In literature, authors have explored different cryptography-based solutions to address these challenges. However, implementing these solutions in IoT systems is impractical due to the substantial computational requirements at the broker and the end devices. The primary objective of this work centres around formulating a PUF-based authentication policy and designing an IDS to track the behaviour of incoming traffic. In the proposed authentication scheme, the PUF mechanisms generate credentials to establish authenticity, thus protecting the network from password-based vulnerabilities like dictionary-based attacks. The second security module of this research implements a Machine Learning based IDS system to track and block fake connect requests in real-time. The proposed IDS system comprises Decision Tree and Neural Network algorithms that operate in parallel. In order to maintain the lightweight nature of the ML model, the system incorporates a feature selection technique. The result section shows that the proposed system effectively and efficiently recognizes fake connect requests in real-time and consumes minimal energy. Additionally, the proposed scheme requires less time than existing schemes in the literature.</p>","PeriodicalId":501576,"journal":{"name":"Cluster Computing","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A hybrid approach based on PUF and ML to protect MQTT based IoT system from DDoS attacks\",\"authors\":\"Ankit Sharma, Kriti Bhushan\",\"doi\":\"10.1007/s10586-024-04638-6\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>IoT application uses MQTT, an application layer protocol that facilitates machine-to-machine communication using a central entity called broker. The vulnerability lies in the broker being susceptible to intrusion attempts, where a potential attacker might engage in a Distributed Denial of Service attack. Such an attack involves repetitively transmitting large number of malicious messages or counterfeit connect requests. To send large messages, the attackers must breach the authentication process of MQTT. MQTT employs two authentication approaches to safeguard its system: certificate-based and credential-based authentication. Credential-based authentication is popular as it is easy to implement. However, in MQTT, credential-based authentication is vulnerable to various attacks as credentials are transmitted in plain-text form. In literature, authors have explored different cryptography-based solutions to address these challenges. However, implementing these solutions in IoT systems is impractical due to the substantial computational requirements at the broker and the end devices. The primary objective of this work centres around formulating a PUF-based authentication policy and designing an IDS to track the behaviour of incoming traffic. In the proposed authentication scheme, the PUF mechanisms generate credentials to establish authenticity, thus protecting the network from password-based vulnerabilities like dictionary-based attacks. The second security module of this research implements a Machine Learning based IDS system to track and block fake connect requests in real-time. The proposed IDS system comprises Decision Tree and Neural Network algorithms that operate in parallel. In order to maintain the lightweight nature of the ML model, the system incorporates a feature selection technique. The result section shows that the proposed system effectively and efficiently recognizes fake connect requests in real-time and consumes minimal energy. Additionally, the proposed scheme requires less time than existing schemes in the literature.</p>\",\"PeriodicalId\":501576,\"journal\":{\"name\":\"Cluster Computing\",\"volume\":\"23 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-07-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cluster Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1007/s10586-024-04638-6\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cluster Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s10586-024-04638-6","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

物联网应用程序使用 MQTT,这是一种应用层协议,可通过一个称为代理的中心实体促进机器与机器之间的通信。漏洞在于代理容易受到入侵尝试的影响,潜在的攻击者可能会进行分布式拒绝服务攻击。这种攻击涉及重复发送大量恶意信息或伪造连接请求。要发送大量信息,攻击者必须破坏 MQTT 的验证过程。MQTT 采用两种身份验证方法来保护其系统:基于证书的身份验证和基于凭证的身份验证。基于凭证的身份验证很容易实现,因此很受欢迎。然而,在 MQTT 中,基于凭证的身份验证容易受到各种攻击,因为凭证是以明文形式传输的。在文献中,作者们探索了不同的基于密码学的解决方案来应对这些挑战。然而,在物联网系统中实施这些解决方案是不切实际的,因为在代理和终端设备上需要大量的计算。这项工作的主要目标是制定基于 PUF 的身份验证策略,并设计一种 IDS 来跟踪传入流量的行为。在建议的验证方案中,PUF 机制生成凭证以建立真实性,从而保护网络免受基于密码的漏洞(如基于字典的攻击)。本研究的第二个安全模块实施了基于机器学习的 IDS 系统,以实时跟踪和阻止虚假连接请求。拟议的 IDS 系统由决策树和神经网络算法组成,这两种算法并行运行。为了保持 ML 模型的轻量级特性,系统采用了特征选择技术。结果部分显示,所提出的系统能有效、高效地实时识别假冒连接请求,而且能耗极低。此外,与文献中的现有方案相比,拟议方案所需的时间更短。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

摘要图片

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
A hybrid approach based on PUF and ML to protect MQTT based IoT system from DDoS attacks

IoT application uses MQTT, an application layer protocol that facilitates machine-to-machine communication using a central entity called broker. The vulnerability lies in the broker being susceptible to intrusion attempts, where a potential attacker might engage in a Distributed Denial of Service attack. Such an attack involves repetitively transmitting large number of malicious messages or counterfeit connect requests. To send large messages, the attackers must breach the authentication process of MQTT. MQTT employs two authentication approaches to safeguard its system: certificate-based and credential-based authentication. Credential-based authentication is popular as it is easy to implement. However, in MQTT, credential-based authentication is vulnerable to various attacks as credentials are transmitted in plain-text form. In literature, authors have explored different cryptography-based solutions to address these challenges. However, implementing these solutions in IoT systems is impractical due to the substantial computational requirements at the broker and the end devices. The primary objective of this work centres around formulating a PUF-based authentication policy and designing an IDS to track the behaviour of incoming traffic. In the proposed authentication scheme, the PUF mechanisms generate credentials to establish authenticity, thus protecting the network from password-based vulnerabilities like dictionary-based attacks. The second security module of this research implements a Machine Learning based IDS system to track and block fake connect requests in real-time. The proposed IDS system comprises Decision Tree and Neural Network algorithms that operate in parallel. In order to maintain the lightweight nature of the ML model, the system incorporates a feature selection technique. The result section shows that the proposed system effectively and efficiently recognizes fake connect requests in real-time and consumes minimal energy. Additionally, the proposed scheme requires less time than existing schemes in the literature.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Quantitative and qualitative similarity measure for data clustering analysis OntoXAI: a semantic web rule language approach for explainable artificial intelligence Multi-threshold image segmentation using a boosted whale optimization: case study of breast invasive ductal carcinomas PSO-ACO-based bi-phase lightweight intrusion detection system combined with GA optimized ensemble classifiers A scalable and power efficient MAC protocol with adaptive TDMA for M2M communication
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1