Visible to the public “If security is required”: Engineering and Security Practices for Machine Learning-based IoT Devices

Title“If security is required”: Engineering and Security Practices for Machine Learning-based IoT Devices
Publication TypeConference Paper
Year of Publication2022
AuthorsGopalakrishna, Nikhil Krishna, Anandayuvaraj, Dharun, Detti, Annan, Bland, Forrest Lee, Rahaman, Sazzadur, Davis, James C.
Conference Name2022 IEEE/ACM 4th International Workshop on Software Engineering Research and Practices for the IoT (SERP4IoT)
Keywordscomposability, computer security, Costs, Cyber-physical systems, Embedded systems, Human Behavior, Internet of Things, Interviews, IoT security, machine learning, Metrics, Prototypes, pubcrawl, resilience, Resiliency, reverse engineering, Security and Privacy, software engineering
AbstractThe latest generation of IoT systems incorporate machine learning (ML) technologies on edge devices. This introduces new engineering challenges to bring ML onto resource-constrained hardware, and complications for ensuring system security and privacy. Existing research prescribes iterative processes for machine learning enabled IoT products to ease development and increase product success. However, these processes mostly focus on existing practices used in other generic software development areas and are not specialized for the purpose of machine learning or IoT devices. This research seeks to characterize engineering processes and security practices for ML-enabled IoT systems through the lens of the engineering lifecycle. We collected data from practitioners through a survey (N=25) and interviews (N=4). We found that security processes and engineering methods vary by company. Respondents emphasized the engineering cost of security analysis and threat modeling, and trade-offs with business needs. Engineers reduce their security investment if it is not an explicit requirement. The threats of IP theft and reverse engineering were a consistent concern among practitioners when deploying ML for IoT devices. Based on our findings, we recommend further research into understanding engineering cost, compliance, and security trade-offs.
DOI10.1145/3528227.3528565
Citation Keygopalakrishna_if_2022