Adaptive Access Control Policies for IoT Deployments (original) (raw)

CAPE: Continuous Access Policy Enforcement for IoT Deployments

2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC), 2019

Advancements and convergence in IoT enabling technologies along with ubiquitous connectivity have led to the generation of new wave of smart services and applications based on real-time data access. The popularity of ubiquitous data access and accelerated adoption of these services pose significant challenges on user and data privacy. Thus, controlling access to such services in highly dynamic environments with continuously changing context becomes even more challenging. The wide adoption of IoT in our everyday life in many vital domains such as healthcare and military operations requires continuous and tight access control to prevent unauthorized and unintended access. A delay in making access decisions when context changes may result in consequences that cause harm and property damage. Therefore, continuity in access policy enforcement becomes a necessity in highly dynamic IoT environments for the entire access session not only at the time of request. This paper presents CAPE, a c...

Machine Learning based Access Control Framework for the Internet of Things

International Journal of Advanced Computer Science and Applications

The main challenge facing the Internet of Things (IoT) in general, and IoT security in particular, is that humans have never handled such a huge amount of nodes and quantity of data. Fortunately, it turns out that Machine Learning (ML) systems are very effective in the presence of these two elements. However, can IoT devices support ML techniques? In this paper, we investigated this issue and proposed a twofold contribution: a thorough study of the IoT paradigm and its intersections with ML from a security perspective; then, we actually proposed a holistic ML-based framework for access control, which is the defense head of recent IT systems. In addition to learning techniques, this second pillar was based on the organization and attribute concepts to avoid role explosion problems and applied to a smart city case study to prove its effectiveness.

Developing an adaptive Risk-based access control model for the Internet of Things

The Internet of Things (IoT) is creating a revolution in the number of connected devices. Cisco reported that there were 25 billion IoT devices in 2015 and modest estimation that this number will almost double by 2020. Society has become dependent on these billions of devices, devices that are connected and communicating with each other all the time with information constantly share between users, services, and internet providers. The emergent IoT devices as a technology are creating a huge security rift between users and usability, sacrificing usability for security created a number of major issues. First, IoT devices are classified under Bring Your Own Device (BYOD) that blows any organization security boundary and make them a target for espionage or tracking. Second, the size of the data generated from IoT makes big data problems pale in comparison not to mention IoT devices need a real-time response. Third, is incorporating secure access and control for IoT devices ranging from edge nodes devices to application level (business intelligence reporting tools) is a challenge because it has to account for several hardware and application levels. Establishing a secure access control model between different IoT devices and services is a major milestone for the IoT. This is important because data leakage and unauthorized access to data have a high impact on our IoT devices. However, traditional access control models with the static and rigid infrastructure cannot provide the required security for the IoT infrastructure. Therefore, this paper proposes a risk-based access control model for IoT technology that takes into account real-time data information request for IoT devices and gives dynamic feedback. The proposed model uses IoT environment features to estimate the security risk associated with each access request using user context, resource sensitivity, action severity and risk history as inputs for security risk estimation algorithm that is responsible for access decision. Then the proposed model uses smart contracts to provide adaptive features in which the user behaviour is monitored to detect any abnormal actions from authorized users.

Context-aware Automatic Access Policy Specification for IoT Environments

2018

Data privacy becomes a primary impediment to the realization of the IoT vision. One approach to the IoT security and privacy problem is to restrict access to sensitive data via access control and authorization models. Yet access context in IoT changes frequently raising the need for flexible and dynamic access control policies. Towards developing dynamic access control policies, context-based access control techniques are being investigated due to their robustness in assigning dynamic access permissions according to changes in context. In this paper, we propose to automate the generation of access control policies to overcome the inflexibility in traditional access policy specification techniques, and improve its adaptability to dynamic IoT environments. In our framework, we use context, attributes, and predication to describe the core access control elements. In response to access requests, our algorithm automatically produces conflict-free access control policies and makes the fin...

Context Sensitive Access Control in Smart Home Environments

2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), 2020

The rise in popularity of Internet of Things (IoT) devices has opened doors for privacy and security breaches in Cyber-Physical systems like smart homes, smart vehicles, and smart grids that affect our daily existence. IoT systems are also a source of big data that gets shared via cloud. IoT systems in a smart home environment have sensitive access control issues since they are deployed in a personal space. The collected data can also be of highly personal nature. Therefore, it is critical to build access control models that govern who, under what circumstances, can access which sensed data or actuate a physical system. Traditional access control mechanisms are not expressive enough to handle such complex access control needs, warranting the incorporation of new methodologies for privacy and security. In this paper, we propose the creation of the PALS system, that builds upon existing work in attribute based access control model, captures physical context collected from sensed data (attributes), and performs dynamic reasoning over these attributes and context driven policies using Semantic Web technologies to execute access control decisions. Reasoning over user context, details of information collected by cloud service provider and device type our mechanism generates as a consequent access control decisions. Our system's access control decisions are supplemented by another subsystem that detects intrusions into smart home systems based on both network and behavioral data. The combined approach serves to determine indicators that a smart home system is under attack, as well as limit what data breach such attacks can achieve.

Classification of device behaviour in internet of things infrastructures

Proceedings of the 1st International Conference on Internet of Things and Machine Learning

Increasingly Internet of Things (IoT) devices are being woven into the fabric of our physical world. With this rapidly expanding pervasive deployment of IoT devices, and supporting infrastructure, we are fast approaching the point where the problem of IoT based cyber-security attacks is a serious threat to industrial operations, business activity and social interactions that leverage IoT technologies. The number of threats and successful attacks against connected systems using IoT devices and services are increasing. The Internet of Things has several characteristics that present technological challenges to traditional cyber-security techniques. The Internet of Things requires a novel and dynamic security paradigm. This paper describes the challenges of securing the Internet of Things. A discussion detailing the state-of-the-art of IoT security is presented. A novel approach to security detection using streaming data analytics to classify and detect security threats in their early stages is proposed. Implementation methodologies and results of ongoing work to realise this new IoT cyber-security technique for threat detection are presented.

Securing Home IoT Environments with Attribute-Based Access Control

Proceedings of the Third ACM Workshop on Attribute-Based Access Control, 2018

Rapid advances in IoT networks have led to the proliferation of several end-user IoT devices. A modern day home IoT environment now resembles a complete network ecosystem with a variety of devices co-existing and operating concurrently. It is necessary that these devices do not disrupt the operations of other devices, either accidentally or maliciously. Accidental disruptions are usually due to misconfigured devices, which may, for instance, result in a device sending network broadcasts and flooding the network. Malicious disruptions may be caused by devices being compromised by attackers or due to devices purchased from untrusted manufacturers. An intentional disruption can include sending control information to other devices to manipulate their operations, and requesting for sensitive information such as surveillance videos or camera pictures. One way of preventing such disruptions is by enforcing access control on IoT devices. Attribute-Based Access Control is the most appropriate model because of its ability to enforce access control based on the attributes of the devices, users, and environment context. We consider the NIST Next Generation Access Control (NGAC) specification for our ABAC requirements because of several reasons, including its support for adaptive policies, efficiency, and ease of policy management.

A Transfer Learning Approach for Securing Resource-Constrained IoT Devices

IEEE Transactions on Information Forensics and Security

In recent years, Internet of Things (IoT) security has attracted significant interest by researchers due to new characteristics of IoT such as heterogeneity of devices, resource constraints, and new types of attacks targeting IoT. Intrusion detection, which is an indispensable part of a security system, is also included in these studies. In order to explore the complex characteristics of IoT, machine learning methods, which rely on long training time to generate intrusion detection models, are proposed in the literature. Furthermore, these systems need to learn a new/fresh model from scratch when the environment changes. This study explores the use of transfer learning in order to generate intrusion detection algorithms for such dynamically changing IoT. Transfer learning is an approach that stores knowledge learned from a problem domain/task and applies that knowledge to another problem domain/task. Here, it is employed in the following two settings: transferring knowledge for generating suitable intrusion algorithms for new devices, transferring knowledge for detecting new types of attacks. In this study, Routing Protocol for Low-Power and Lossy Network (RPL), a routing protocol for resource-constrained wireless networks, is used as an exemplar protocol and specific attacks against RPL are targeted. The experimental results show that the transfer learning approach gives better performance than the traditional approach. Moreover, the proposed approach significantly reduces learning time, which is an important factor for putting devices/networks in operation in a timely manner. Even though transfer learning has been considered a potential candidate for improving IoT security, to the best of our knowledge, this is the first application of transfer learning under these two settings in RPL-based IoT networks.

Access control in internet-of-things: A survey

Journal of Network and Computer Applications

The Internet of Things (IoT) is an emerging technology that is revolutionizing the global economy and society. IoT enables a collaborative environment where different entities-devices, people and applications-exchange information for service provision. Despite the benefits that IoT technology brings to individuals, society and industry, its wide adoption opens new security and privacy challenges. Among them, a vital challenge is the protection of devices and resources produced within IoT ecosystems. This need has attracted growing attention from the research community and industry, and several authorization frameworks have been designed specifically for IoT. In this survey, we investigate the main trends in access control in IoT and perform an extensive analysis of existing authorization frameworks tailored to IoT systems. Driven by the needs of representative IoT applications and key requirements for IoT, we elicit the main requirements that authorization frameworks for IoT should satisfy along with criteria for their assessment. These criteria and requirements form a baseline for our literature study. Based on this study, we identify the main open issues in the field of access control for IoT and draw directions for future research.

Enforcing Security in IoT and Home Networks

2018

Modern home and corporate networks are interconnecting many different devices types other than personal computers and printers. It is pretty common to have surveillance cameras or thermometers and control them through cloud-based services. Security-wise this practice can create potential threats when connected devices are not kept updated or if they can freely access the network. This paper describes a novel approach to monitoring and enforcing network policies that takes advantage of techniques such as network discovery and device behaviour fingerprinting, to define per-device/user network policies and enforcing them at the network edge before unwanted traffic enters or leaves the monitored network perimeter.