CC BY
90
Approach to Internet of Things Detection of Security Incidents Using SIEM Technology
Zegzhda D. P., Lavrova D. S. Peter the Great St. Petersburg Polytechnic University St. Petersburg, Russia dmitry.zegzhda@ibks.ftk.spbstu.ru, lavrova@ibks.spbstu.ru
Abstract. In this article authors propose an approach to detection of security incidents in Internet of things using SIEM technology. Proposed approach takes into account such Internet of things characteristics as high heterogeneity of devices and large number of implicit logical connections between devices during technological processes implementation. Also it is formalized the "security event" notion for Internet of things based on graph model.
Keywords: Internet of Things, security incident, SIEM, security analysis, data aggregation, ontology.
Introduction
Internet of things (IoT) concept involves the association of physical objects in networks using built-in technologies, so that these objects get an ability to interact with each other and with the outside world, without human interaction [1]. Internet of Things integration with all spheres of human activity has led to emergence of large-scale complex IoT systems, which include a wide variety of devices. Successful attacks implementation on IoT system is capable to cause harm to human life, and therefore the problem of providing security in IoT is extremely important.
SIEM (security information and event management) technology is a prospective technology for providing security in large-scale systems. SIEM-system collect events from various network security tools, aggregate them, lead to a common format and correlate (connect with each other in accordance with significant parameters) [2].
However, application of existing SIEM-systems methodology for security providing in IoT is not possible, due to specifics of IoT subject area. Existing SIEM systems are mostly focused on incidents detection in information systems. They are not designed for processing of large amounts of heterogeneous unstructured data; do not take into account fact that devices are controlled by each otherand logical connection between devices, which arises because devices perform a single technological-process.
Thus, there is need to develop new methods and approaches for processing large amounts of heterogeneous data and for detection of security incidents related to violations of the correctness of the technological process.
Ontological model of Internet of Things
SUBJECT AREA FOR SIEM SYSTEM DEVELOPMENT
Subject area model, which is based on ontologies, provides the following benefits, in accordance with [3, 4]:
• model could be easily adapted and supplemented, it is possible to define new terms without the need to revise existing definitions;
• it is possible to consider interconnected domain relations (internal and inter-level);
• it is possible to consider the same domain objects from different points of view at the expense of their affiliation to different conceptual constructions;
• it is possible to connect another models to ontological model, that are intended to describe individual subsystems domain using the concepts, that are introduced in ontological model;
• machine-readability and translatability of ontological model to other universal languages;
• it is possible to design a prototype of security system based on an ontological model.
Construction of ontological model for the Internet of Things allows to considerinteractions between devices, that implement physical processes through messaging, at different levels of abstraction. The result of ontological models creation are recommendations for functional characteristics of SIEM-system for the Internet of Things.
The overriding objective is a description of main (central) ontology concepts and relationships between them. Fig. 1 illus-
Fig. 1. Central ontology concepts
При финансовой поддержке Министерства образования и науки Российской Федерации в рамках ФЦП. «Исследования и разработки по приоритетным направлениям развития научно-технологического комплекса России на 2014-2020 годы» (соглашение о предоставлении субсидии № 14.575.21.0100 от 14.11.2014 г., уникальный идентификатор RFMEFI57514X0100).
Intellectual Technologies on Transport. 2017. No 1
trates relationships between central ontology concepts, arrows symbolize dependence between concepts.
To reduce the dimension of messages space and their transformation to events space, it is advisable to consider in detail the concepts of "message" and "event" [5]. Level of messages and events is created, it is shown at Fig. 2.
Therefore, the dimension of messages space could be reduced by combining the values of messages into a single with an aggregation by time and by object type.
For development methods for detection of security incidents, which SIEM system should implement, concepts of "event" and "security threat" are considered, they are shown at Fig. 3.
This level reflects key characteristics of the anomalies in the IoT system. At the same time, it is reflected an important feature of IoT systems: there are two types of connections - com-
munication and logical connections. Therefore, methods for detection of security incidents must take into account this feature.
Thus, developed ontological model has allowed to formulate recommendations to functional characteristics of SIEM-system for IoT, taking into account the specificity of the subject area.
Reduction of data dimension
The primary objective of SIEM system is problem of messages dimension reduction and of bringing them to a common format. To solve this problem, the technique of aggregation and normalization is proposed [6]. Techniqueinvolvesfollowing-steps:
• messages formats parsing and extraction of their parameters;
-IS CHARACTERIZED—
, DEVICE
NETWORK \_
PARAMETER f 1 "'l
....../ HAS GENERATES
EVALUATION VALUE k3-MAY HAVE-
COMMAND ka-MAY HAVE—MESSAGE VALUE
_J \^ J I TIME STAMP
INFO MESSAGE
HAS
4
CHARACTERIZE
5
FORM
AGGREGATED BY TIME
CHARACTERIZE
l—MAY BE-
NORMALIZED MESSAGE (—BELONG TO.
_J
Fig. 2. Level of messages and events
AGGREGATED BY OBJECT MESSAGE
5 r
FORM
V
Fig. 3. Security threats level
• messages aggregation by time;
• messages parameters normalization and meta data assigning;
• messages aggregation in accordance with device type;
• events formation.
To parse messages formats and definitions of messages types metadata directories are used. These directories are used for messages parameters normalization, to determine to what format should be aligned parameters.
When messages areaggregated by time, parameters values, that are obtained from device for a certain period, are combined into one by using a statistical evaluation.
For more reduction of data dimension, aggregation by type of device is implemented. During such aggregation, the indicators of multiple devices of the same type are combined into one if their values are the same or different from each other less than the value of the error. However, such aggregation requires identical formats indicators, which is performed at data normalization stage. After messages aggregation by device type, messages are transformed to events. Event structure is described by a tuple of four elements (parameters that identify device-sender, device-receiver, type of event, time of event generation) [7].
Detection of security incidents in the Internet of Things
For detection of security incidents it is necessary to define the term "security event" for IoT. For security providing, effects of both information and processes in IoT system should be considered. To solve this problem, a set of interacting IoT devices is represented as a graph G, where devices are characterized by a set of vertices V, a set of edges E characterizes set of connections between devices [2]. Edges could be of two types:
• edges, that characterize communication links between devices during messaging;
• edges, that characterize logical connections between devices without exchanging messages.
Security event in IoT is a change in graph structure, which manifests itself in the change of the number of vertices, edges, and their parameters.
In accordance with graph model for IoT devices, for detection of security incidents is necessary to control the number of vertices and edges, and their parameters. Some parameters could be easily controlled using signature and statistical approaches [8].
However, control of connections and their parameters require being adapted to specific of IoT subject area. Therefore, it is proposed two methods for detection of security incidents:
• method based on self-similarity evaluation, for control of communication links;
• method based on dynamic similarity in data from pair of devices, for logical connections detecting and monitoring.
Idea of methodbased on self-similarity evaluation is that IoT system implements set of technological processes, each process is implemented with a certain periodicity. This periodicity is reflected in data of each device, which implements technological process. On this basis it is assumed a presence of self-similarity properties for time-series data from devices [9-14]. Security incident is considered to be a violation of self-similarity for time series generated by IoTdevice. Security criterion is value of the Hurst exponent, which takes the value between 0,5 and 1 for self-
similar process [15]. Calculating the Hurst exponentis produced by dispersion method [16]:
1. For selected device is allocated a set of events for a certain period of time At;
2. Of events set are generated time series x(t1),x(t2),..., x(tl), where x - values of events parameters at appropriate time;
3. Selected an aggregation period m and moved to aggregated time series x(m) : x^ = — ^ x;
4. Plotted log D( x( m)) by log(m);
5. From ratio logD(x(m)) equivalent logD(x)-0-log(m) obtained value P;
6. Hurst exponentvalue calculated H = 1 - P .
m i=km-m+l
The idea of method based on dynamic similarity in data is that during concerted work of devices data sets are changed rather similar [2, 17]. Security criterion for this method is deviation values from normal value of linear correlation coefficient and coefficient of agreement in dynamics [18]. Permissible deviation is determined in accordance with Chaddock scale: changing type of communication characterizes security incident [19].
Calculation of the linear correlation coefficient r occurs by formula
Z (x,. - X)(y - Y)
Z (X - X)2(y - Y)2
wherexandy - event parameters values from a pair of selected IoTdevices.
Coefficient of agreement in dynamics, in accordance with [20], occurs by formula
ZAiy Aix
ks =
Z (Aiy)2 Z (Aix)2
where a'x and A1 y - finite differences /-order [20].
calculation of values for both coefficients allows to determine form of functional relationship between IoT devices. The dependence is linear if both coefficient values are near to 1, and if only the coefficient of agreement in dynamics value is near to 1, dependence is non-linear.
Experiments
To evaluate the effectiveness of developed methods was implemented experimental model of SIEM system. Research was performed on data obtained from self-regulating watering greenhouse system, they are shown at Fig. 4. System consisted of:
• soilmoisturesensors (400 pieces);
• temperatureSensors (400 pieces);
• lightsensors (270 pieces);
• „smart" cranes (20 pieces);
• leakagesensors (100 pieces).
Studies in reducing dimension of the data confirmed effectiveness of developed method of aggregation and normalization (Table).
r =
Fig. 4. Self-regulating watering greenhouse system
Table
The largest and smallest data reduction per day
Parameters Light sensor Soil moisture sensor
Frequency of messages generation 30 seconds 10 seconds
Aggregation period 2 minutes 30 seconds
Number of sensors 270 pieces 400 pieces
Amount of data per day 777 600 messages 3 456 000 messages
Amount of data after aggregation by time 194 400 messages 1 152 000 messages
% of aggregation by device type 68 % 43 %
Amount of data after aggregation by device type 59 320 messages 861 200 messages
Reduction of data amount In 13,3 times In 5 times
The best performance of data reduction per day were achieved for the light sensor because in most cases, both types of aggregation were performed. The worst results were obtained for the data of soil moisture sensors: as values did not coincide more than in 50 % of the cases, data volume declined by only in 5 times.
Evaluating the effectiveness of methods for detection ofsecu-rity incidents was carried out by implementing 60 attacks form the following classes:
• Denial of Service (DoS) - 9 attacks;
• Man-in-the-Middle (data interception, modification, deletion) - 34 attacks;
• system settings changing - 12 attacks;
• adding non-existent devices and data - 5 attacks.
Experiments have shown that developed methods could detect 95 % of attacks on IoT system, and the methods complement each other, detecting different types of attacks. In particular, data duplication attack to temperature sensor has been identified only by the method based on detection of implicit connections, as it was recorded violation of the implicit connection between a pair of temperature sensors. It should be noted that the attack of humidity sensor data modification, which was consisted in a smooth change of the observed values, was detected only by the method based on the self-similarity evaluation.
50 attacks were detected by method based on self-similarity evaluation, 39 attacks were detcted by method based on detecting implicit relations. Thus, 18 attacks were detected only by first method, and 7 attacks - by only second method. A total of 60 attacks were detected 57, for the entire SIEM system were detected errors: 9 % of first order, 5 % of second order.
2 of 3 missing attacks belonged to "Man-in-the-Middle" class. They have not been detected due to the fact that in database was not implemented records of minimum and maximum values of parameters for each aggregation period. Last one attack belonged to "system settings changing"class, it has not been detected due to a short training period for system, so not all implicit connections were found.
The results indicate that developed methods allow full use for detection of security incidents in IoT.
Conclusion
Thus, has been developed an approach for detection of security incidents in IoT based on SIEM technology. The approach takes into account the specifics of IoT subject area, which is in the large amounts of heterogeneous data from devices and in need to control not only communication, but also the logical connections between devices. Experimental results showed that developed detection methods are able to detect security incidents that are not detectable by standard methods used in SIEM-sys-tems.
Future work will be related to the study of the safety of cy-berphysical systems and the development of a dynamic approach to assessing the safety of complex systems.
References
1. Vermesan O., Friess P. Internet of Things Applications -From Research and Innovation to Market Deployment, Bringing IP to Low-power Smart Objects: The Smart Parking Case in the CALIPSO Project, The River Publishers, Series in Communications, 2014, pp. 287-313.
2. Lavrova D. S. Podhod k razrabotke SIEM-sistemy dlya InternetaVeshchej [Approach to development a SIEM-system for the Internet of Things], Problemy informacionnoj bezopasnosti. Komp'yuternye sistemy, 2016, no. 2, pp. 50-60.
3. Poletaeva E. V. Principy postroeniya ontologii predmetnoj oblasti mashinostroeniya [Principles for construction of ontologies for engineering subject domain]. Programmnye produkty, sistemy i algoritmy [Software Products, Systems and Algorithms], 2015, no. 1.
4. Lychkina N. N., Idiatullin A. R. Razrabotka kompleksa on-tologicheskih modelej arhitektury predpriyatiya [Development of a complex of ontological models of enterprise architecture], VInt. Conf. Parallel'nye vychisleniya i zadachi upravleniya [Parallel Comput. Control Tasks], Moscow, 2010.
5. Lavrova D. S. Ontologicheskaya model' predmetnoj oblasti Interneta veshchej dlya analiza bezopasnosti [ontological Internet of Things domain model for security analysis], Problemy informacionnoj bezopasnosti. Komp'yuternye sistemy [Inf. Security Prob. Comput. System], 2016, no. 2, pp. 68-75.
6. Poltavceva M. A. Normalizaciya dannyh Interneta vesh-chej v sisteme obnaruzheniya incidentov bezopasnosti. Internet of Tnings date normalization for detection of security incidents], 24 Sci. Tech. Conf. "Metody i tekhnicheskie sredstva
obespecheniya bezopasnosti informacii" [Methods and Tech. Means of Inf. Secur.] 29 June - 02 July 2015, St. Petersburg, Izdatel'stvo Politekhnicheskogo universiteta, 2015, pp. 29-31.
7. Lavrova D., Pechenkin A. Applying Correlation and Regression Analysis Methods for Security Incidents Detection in the Internet of Things, Int. J. Commun. Netw. Inf. Secur, 2015, Vol. 7, no. 3, pp. 131-137.
8. Nadezhdin E. N., Cvetkov A. A. Sintez programmy monitoringa resursov vychislitel'noj seti obrazovatel'noj organizacii [Synthesis of program for monitoring resources of computer network of educational organization], Naukovedenie [Nauko-vedenie], 2014, no. 5 (24). Available at: http://go-url.ru/sintez (accessed 04.09.2016).
9. Fedorova M. L., Ledeneva T. M. Ob issledovanii svojst-va samopodobiya trafika mul'tiservisnoj seti [About the investigation of the self-similarity property of traffic of a multiservice network]. Available at: http://www.vestnik.vsu. ru/pdf/analiz/2010/01/2010-01-09.pdf (accessed 28.04.2015).
10. Trenogin N. G., Sokolov D. E. Fraktal'nye svojstva set-evogo trafika v klient-servernoj informacionnoj sisteme [Fractal properties of network traffic in the client-server information system], Vestnik SibGUTI [The Herald og SibSUTIS], 2003, pp. 163-172.
11. Girik A. V. Obnaruzhenie informacionnyh ugroz bezopasnosti peredachi dannyh v telekommunikacionnyh setyah [Detection of information threats to the security of data transmission in telecommunication networks], XV All-Russian Sci. Metod. Conf. „Telematika-2008", St. Petersburg, 23-26 Juni 2008, St. Petersburg, 2008, p. 178.
12. Loktev A. A., Zaletdinov A. V. Ispol'zovanie fraktalov v zadachah obespecheniya informacionnoj bezopasnosti [The use of fractals in the tasks of ensuring information security], Vestnik Tambovskogo universiteta. Estestvennye i tekhnicheskie nauki [Tambov Univ. Rep. Series Sci. Natur. Sci.], 2010, Vol. 2, is. 2, pp. 442-447.
13. Lavrova D. S., Zegzhda D. P., Zegzhda P. D., Shtyrki-na A. A. Ocenka kiberustojchivosti informacionno-tekhnolog-icheskih sistem na osnove samopodobiya [Cyber-resistance assessment of information technology systems on the basis of
self-similarity], 25 Sci. Tech. Conf. ,,Metody i tekhnicheskie sredstva obespecheniya bezopasnosti informacii" [Methods and Tech. Means of Inf. Secur.], St. Petersburg, Izdatel'stvo Politekhnicheskogo universiteta, 2016, pp. 101-104.
14. Dejneko Zh. V., Zamula A. A., Kirichenko L. O., Radi-vilova T. A. Ob odnom metode modelirovaniya samopodobnogo stohasticheskogo processa [About one method of modeling a self-similar stochastic process], Visnik Harkovskogo naciona-lnogo universitetu imeny V. N. Karazina. Matematichne mod-elyuvannya. Informacijni tekhnologi'i. Avtomatizovani sistemi upravlinnya [Bul. V. N. Karazin Kharkiv Nat. Univ. Sci. Periodicals, series "Math. Modeling. Inf. Technol. Automated Control Systems"], 2010, Vol. 13, no. 890, pp. 53-63.
15. Shibaeva E. S. Sravnenie metodov analiza pokazatelya Hersta dlya fraktal'nogo setevogo trafika [Comparison of methods of analysis of the Hurst exponent for fractal network traffic]. Available at: http://www.mce.su/archive/doc97687/doc.pdf (accessed 28.06.2016).
16. Pechenkin A. I., Gluhov V. V., Lavrova D. S. Applying Correlation Analysis Methods to Control flow Violation Detection in the Internet of Things, Autom. Control Comput. Sci, 2015, no. 8, pp. 735-740.
17. Pechenkin A. I., Lavrova D. S. Rassledovanie incidentov bezopasnosti v InterneteVeshchej s ispol'zovaniem korrelyacion-no-regressionnogo analiza [Investigation of security incidents on the Internet of things using correlation-regression analysis], IXSt. Peterburg. Int. Conf. „Informacionnaya bezopasnost' regionov Rossii (IBRR-2015)" [Inform. Security of the Regions of Russia], St. Petersburg, 28-30 Okt. 2015, St. Petersburg, SPOISU, 2015, p. 110.
18. Svetun'kov S. G., Svetun'kov I. S. Metody social'no-eh-konomicheskogo prognozirovaniya [Methods of socio-economic forecasting], t. 1, St. Petersburg, Izdatel'stvo SPbGUEHF, 2009, pp. 254-268.
19. Chaddock R. E. Principles and Methods of Statistics, 1st ed., Cambridge, Houghton Miffin Comp., The Riverside Press, 1925.
20. Gel'fond A. O. Ischislenie konechnyh raznostej [Finite difference calculus], Moscow, Librokom, 2012.
Подход к обнаружению инцидентов
безопасности в Интернете вещей с использованием технологии SIEM
Зегжда Д. П., Лаврова Д. С. Санкт-Петербургский политехнический университет Петра Великого Санкт-Петербург, Россия dmitry.zegzhda@ibks.ftk.spbstu.ru, lavrova@ibks.spbstu.ru
Аннотация. В данной статье предлагается подход к обнаружению инцидентов безопасности в Интернете вещей с использованием технологии SIEM. Предлагаемый подход учитывает такие особенности предметной области Интернета вещей, как высокая разнородность устройств и большое количество неявных логических связей, возникающих между устройствами при реализации ими технологических процессов. Также формализовано понятие события безопасности для Интернета вещей на основе графовой модели взаимодействия устройств.
Ключевые слова: Интернет вещей, инцидент безопасности, SIEM, анализ безопасности, агрегация данных.
References
1. Vermesan O. Internet of Things Applications - From Research and Innovation to Market Deployment, Bringing IP to Low-power Smart Objects: The Smart Parking Case in the CALIPSO Project / O. Vermesan, P. Friess // The River Publishers, Series in Communications. - 2014. - P. 287-313.
2. Лаврова Д. С. Подход к разработке SIEM-системы для Интернета вещей / Д. С. Лаврова // Проблемы информационной безопасности. Компьютерные системы. - 2016. - № 2. -С. 50-60.
3. Полетаева Е. В. Принципы построения онтологии предметной области машиностроения / Е. В. Полетаева // Программные продукты, системы и алгоритмы. - 2015. - № 1.
4. Лычкина Н. Н. Разработка комплекса онтологических моделей архитектуры предприятия / Н. Н. Лычкина, А. Р. Иди-атуллин // V междунар. конф. «Параллельные вычисления и задачи управления». - М., 2010.
5. Лаврова Д. С. Онтологическая модель предметной области Интернета вещей для анализа безопасности / Д. С. Лаврова // Проблемы информационной безопасности. Компьютерные системы. - 2016. - № 2. - С. 68-75.
6. Полтавцева М. А. Нормализация данных Интернета вещей в системе обнаружения инцидентов безопасности / М. А. Полтавцева // Сб. материалов 24-й науч.-технич. конф. «Методы и технические средства обеспечения безопасности информации» 29 июня - 02 июля 2015 г. - СПб.: Изд-во Политех. ун-та, 2015. - С. 29-31.
7. Lavrova D. Applying Correlation and Regression Analysis Methods for Security Incidents Detection in the Internet of Things / D. Lavrova, A. Pechenkin // Int. J. Commun. Netw. Inf. Secur. - 2015. - Vol. 7, no. 3. - P. 131-137.
8. Надеждин Е. Н. Синтез программы мониторинга ресурсов вычислительной сети образовательной организации / Е. Н. Надеждин, А. А. Цветков // Науковедение. -2014. - № 5 (24). - URL: http://go-url.ru/sintez (дата обращения 04.09.2016).
9. Федорова М. Л. Об исследовании свойства самоподобия трафика мультисервисной сети / М. Л. Федорова, Т. М. Леде-нева. - URL: http://www.vestnik.vsu.ru/pdf/analiz/2010/01/2010-01-09.pdf (дата обращения 28.04.2015).
10. Треногин Н. Г. Фрактальные свойства сетевого трафика в клиент-серверной информационной системе / Н. Г. Треногин, Д. Е. Соколов // Вестн. СибГУТИ. - 2003. - С. 163172.
11. Гирик А. В. Обнаружение информационных угроз безопасности передачи данных в телекоммуникационных сетях / А. В. Гирик // Тез. докл. XV всерос. науч.-метод. конф. «Телематика-2008», СПб., 23-26 июня 2008 г. - СПб., 2008. - С. 178.
12. Локтев А. А. Использование фракталов в задачах обеспечения информационной безопасности / А. А. Локтев, А. В. Залетдинов // Вестн. Тамбов. ун-та. Естественные и технические науки. - 2010. - Т. 2, вып. 2. - C. 442-447.
13. Зегжда Д. П. Оценка киберустойчивости информационно-технологических систем на основе самоподобия / Д. П. Зегжда, П. Д. Зегжда, А. А. Штыркина, Д. С. Лаврова // Материалы 25-й науч.-технич. конф. «Методы и технические средства обеспечения безопасности информации». -СПб.: Изд-во Политех. ун-та, 2016. - С. 101-104.
14. Дейнеко Ж. В. Об одном методе моделирования самоподобного стохастического процесса / Ж. В. Дейнеко, А. А. Замула, Л. О. Кириченко, Т. А. Радивилова // Вюн. ХНУ iм. В. Н. Каразша. Математичне моделювання. 1нформацшш технологи. Автоматизоваш системи управлшня. - 2010. -№ 890, вип. 13. - С. 53-63.
15. Шибаева Е. С. Сравнение методов анализа показателя Херста для фрактального сетевого трафика [Элек-
тронный ресурс] / Е. С. Шибаева. - URL: http://www.mce. su/archive/doc97687/doc.pdf (дата обращения 28.06.2016).
16. Pechenkin A. I. Applying Correlation Analysis Methods to Control flow Violation Detection in the Internet of Things / A. I. Pechenkin, V. V. Gluhov, D. S. Lavrova // Autom. Control Comput. Sci. - 2015. - № 8. - P. 735-740.
17. Лаврова Д. С. Расследование инцидентов безопасности в Интернете Вещей с использованием корреляционно-регрессионного анализа / А. И. Печенкин, Д. С. Лаврова // IX Санкт-Петербург. межрегион. конф. «Информационная безопасность регионов России (ИБРР-2015)», СПб.,
28-30 окт. 2015 г.: материалы конф. - СПб.: СПОИСУ, 2015. -С. 110.
18. Светуньков С. Г. Методы социально-экономического прогнозирования: учеб. для вузов. Т. 1 / С. Г. Светуньков, И. С. Светуньков. - СПб.: Изд-во СПбГУЭФ, 2009. -С. 254-268.
19. Chaddock R. E. Principles and Methods of Statistics / R. E. Chaddock. - 1st ed. - Cambridge: Houghton Miffin Company, The Riverside Press, 1925.
20. Гельфонд А. О. Исчисление конечных разностей / А. О. Гельфонд. - М.: Либроком, 2012.
