Biblio
In this paper, cyber physical system is analyzed from security perspective. A double closed-loop security control structure and algorithm with defense functions is proposed. From this structure, the features of several cyber attacks are considered respectively. By this structure, the models of information disclosure, denial-of-service (DoS) and Man-in-the-Middle Attack (MITM) are proposed. According to each kind attack, different models are obtained and analyzed, then reduce to the unified models. Based on this, system security conditions are obtained, and a defense scenario with detail algorithm is design to illustrate the implementation of this program.
The Internet Protocol version 6 (IPv6) over Low Power Wireless Personal Area Networks (6LoWPAN), which is a promising technology to promote the development of the Internet of Things (IoT), has been proposed to connect millions of IP-based sensing devices over the open Internet. To support the mobility of these resource constrained sensing nodes, the Proxy Mobile IPv6 (PMIPv6) has been proposed as the standard. Although the standard has specified some issues of security and mobility in 6LoWPANs, the issues of supporting secure group handovers have not been addressed much by the current existing solutions. In this paper, to reduce the handover latency and signaling cost, an efficient and secure group mobility scheme is designed to support seamless handovers for a group of resource constrained 6LoWPAN devices. With the consideration of the devices holding limited energy capacities, only simple hash and symmetric encryption method is used. The security analysis and the performance evaluation results show that the proposed 6LoWPAN group handover scheme could not only enhance the security functionalities but also support fast authentication for handovers.
Successful deployment of Low power and Lossy Networks (LLNs) requires self-organising, self-configuring, security, and mobility support. However, these characteristics can be exploited to perform security attacks against the Routing Protocol for Low-Power and Lossy Networks (RPL). In this paper, we address the lack of strong identity and security mechanisms in RPL. We first demonstrate by simulation the impact of Sybil-Mobile attack, namely SybM, on RPL with respect to control overhead, packet delivery and energy consumption. Then, we introduce a new Intrusion Detection System (IDS) scheme for RPL, named Trust-based IDS (T-IDS). T-IDS is a distributed, cooperative and hierarchical trust-based IDS, which can detect novel intrusions by comparing network behavior deviations. In T-IDS, each node is considered as monitoring node and collaborates with his peers to detect intrusions and report them to a 6LoWPAN Border Router (6BR). In our solution, we introduced a new timer and minor extensions to RPL messages format to deal with mobility, identity and multicast issues. In addition, each node is equipped with a Trusted Platform Module co-processor to handle identification and off-load security related computation and storage.
The Internet of Things leads to the inter-connectivity of a wide range of devices. This heterogeneity of hardware and software poses significant challenges to security. Constrained IoT devices often do not have enough resources to carry the overhead of an intrusion protection system or complex security protocols. A typical initial step in network security is a network scan in order to find vulnerable nodes. In the context of IoT, the initiator of the scan can be particularly interested in finding constrained devices, assuming that they are easier targets. In IoT networks hosting devices of various types, performing a scan with a high discovery rate can be a challenging task, since low-power networks such as IEEE 802.15.4 are easily overloaded. In this paper, we propose an approach to increase the efficiency of network scans by combining them with active network measurements. The measurements allow the scanner to differentiate IoT nodes by the used network technology. We show that the knowledge gained from this differentiation can be used to control the scan strategy in order to reduce probe losses.
Internet Protocol version 6 (IPv6) over Low power Wireless Personal Area Networks (6LoWPAN) is extensively used in wireless sensor networks (WSNs) due to its ability to transmit IPv6 packet with low bandwidth and limited resources. 6LoWPAN has several operations in each layer. Most existing security challenges are focused on the network layer, which is represented by its routing protocol for low-power and lossy network (RPL). RPL components include WSN nodes that have constrained resources. Therefore, the exposure of RPL to various attacks may lead to network damage. A sinkhole attack is a routing attack that could affect the network topology. This paper aims to investigate the existing detection mechanisms used in detecting sinkhole attack on RPL-based networks. This work categorizes and presents each mechanism according to certain aspects. Then, their advantages and drawbacks with regard to resource consumption and false positive rate are discussed and compared.
This paper addresses the need for standard communication protocols for IoT devices with limited power and computational capabilities. The world is rapidly changing with the proliferation and deployment of IoT devices. This will bring in new communication challenges as these devices are connected to Internet and need to communicate with each other in real time. The paper provides an overview of IoT system architecture and the forthcoming challenges it will bring. There is an urging need to establish standards for communication in the IoT world. With the recent development of new protocols like CoAP, 6LowPAN, IEEE 802.15.4 and Thread in different layers of OSI model, additional challenges also present themselves. Performance and data management is becoming more critical than ever before due to the complexity of connecting raging number of IoT devices. The performance of the systems dealing with IoT devices will require appropriate capacity planning the associated development of data centers. Finally, the paper also presents some reasonable approaches to address the above issues in the IoT world.
Tactical wireless sensor networks (WSNs) are deployed over a region of interest for mission centric operations. The sink node in a tactical WSN is the aggregation point of data processing. Due to its essential role in the network, the sink node is a high priority target for an attacker who wishes to disable a tactical WSN. This paper focuses on the mitigation of sink-node vulnerability in a tactical WSN. Specifically, we study the issue of protecting the sink node through a technique known as k-anonymity. To achieve k-anonymity, we use a specific routing protocol designed to work within the constraints of WSN communication protocols, specifically IEEE 802.15.4. We use and modify the Lightweight Ad hoc On-Demand Next Generation (LOADng) reactive-routing protocol to achieve anonymity. This modified LOADng protocol prevents an attacker from identifying the sink node without adding significant complexity to the regular sensor nodes. We simulate the modified LOADng protocol using a custom-designed simulator in MATLAB. We demonstrate the effectiveness of our protocol and also show some of the performance tradeoffs that come with this method.
6L0WPAN is a communication protocol for Internet of Things. 6LoWPAN is IPv6 protocol modified for low power and lossy personal area networks. 6LoWPAN inherits threats from its predecessors IPv4 and IPv6. IP spoofing is a known attack prevalent in IPv4 and IPv6 networks but there are new vulnerabilities which creates new paths, leading to the attack. This study performs the experimental study to check the feasibility of performing IP spoofing attack on 6LoWPAN Network. Intruder misuses 6LoWPAN control messages which results into wrong IPv6-MAC binding in router. Attack is also simulated in cooja simulator. Simulated results are analyzed for finding cost to the attacker in terms of energy and memory consumption.
The 6L0WPAN adaptation layer is widely used in many Internet of Things (IoT) and vehicular networking applications. The current IoT framework [1], which introduced 6LoWPAN to the TCP/IP model, does not specif the implementation for managing its received-fragments buffer. This paper looks into the effect of current implementations of buffer management strategies at 6LoWPAN's response in case of fragmentation-based, buffer reservation Denial of Service (DoS) attacks. The Packet Drop Rate (PDR) is used to analyze how successful the attacker is for each management technique. Our investigation uses different defence strategies, which include our implementation of the Split Buffer mechanism [2] and a modified version of this mechanism that we devise in this paper as well. In particular, we introduce dynamic calculation for the average time between consecutive fragments and the use of a list of previously dropped packets tags. NS3 is used to simulate all the implementations. Our results show that using a ``slotted'' buffer would enhance 6LoWPAN's response against these attacks. The simulations also provide an in-depth look at using scoring systems to manage buffer cleanups.
6LoWPAN networks involving wireless sensors consist of resource starving miniature sensor nodes. Since secured authentication of these resource-constrained sensors is one of the important considerations during communication, use of asymmetric key distribution scheme may not be the perfect choice to achieve secure authentication. Recent research shows that Lucky Thirteen attack has compromised Datagram Transport Layer Security (DTLS) with Cipher Block Chaining (CBC) mode for key establishment. Even though EAKES6Lo and S3K techniques for key establishment follow the symmetric key establishment method, they strongly rely on a remote server and trust anchor for secure key distribution. Our proposed Lightweight Authentication Protocol (LAUP) used a symmetric key method with no preshared keys and comprised of four flights to establish authentication and session key distribution between sensors and Edge Router in a 6LoWPAN environment. Each flight uses freshly derived keys from existing information such as PAN ID (Personal Area Network IDentification) and device identities. We formally verified our scheme using the Scyther security protocol verification tool for authentication properties such as Aliveness, Secrecy, Non-Injective Agreement and Non-Injective Synchronization. We simulated and evaluated the proposed LAUP protocol using COOJA simulator with ContikiOS and achieved less computational time and low power consumption compared to existing authentication protocols such as the EAKES6Lo and SAKES.