{"title":"A hybrid approach based on PUF and ML to protect MQTT based IoT system from DDoS attacks","authors":"Ankit Sharma, Kriti Bhushan","doi":"10.1007/s10586-024-04638-6","DOIUrl":null,"url":null,"abstract":"<p>IoT application uses MQTT, an application layer protocol that facilitates machine-to-machine communication using a central entity called broker. The vulnerability lies in the broker being susceptible to intrusion attempts, where a potential attacker might engage in a Distributed Denial of Service attack. Such an attack involves repetitively transmitting large number of malicious messages or counterfeit connect requests. To send large messages, the attackers must breach the authentication process of MQTT. MQTT employs two authentication approaches to safeguard its system: certificate-based and credential-based authentication. Credential-based authentication is popular as it is easy to implement. However, in MQTT, credential-based authentication is vulnerable to various attacks as credentials are transmitted in plain-text form. In literature, authors have explored different cryptography-based solutions to address these challenges. However, implementing these solutions in IoT systems is impractical due to the substantial computational requirements at the broker and the end devices. The primary objective of this work centres around formulating a PUF-based authentication policy and designing an IDS to track the behaviour of incoming traffic. In the proposed authentication scheme, the PUF mechanisms generate credentials to establish authenticity, thus protecting the network from password-based vulnerabilities like dictionary-based attacks. The second security module of this research implements a Machine Learning based IDS system to track and block fake connect requests in real-time. The proposed IDS system comprises Decision Tree and Neural Network algorithms that operate in parallel. In order to maintain the lightweight nature of the ML model, the system incorporates a feature selection technique. The result section shows that the proposed system effectively and efficiently recognizes fake connect requests in real-time and consumes minimal energy. Additionally, the proposed scheme requires less time than existing schemes in the literature.</p>","PeriodicalId":501576,"journal":{"name":"Cluster Computing","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cluster Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s10586-024-04638-6","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
IoT application uses MQTT, an application layer protocol that facilitates machine-to-machine communication using a central entity called broker. The vulnerability lies in the broker being susceptible to intrusion attempts, where a potential attacker might engage in a Distributed Denial of Service attack. Such an attack involves repetitively transmitting large number of malicious messages or counterfeit connect requests. To send large messages, the attackers must breach the authentication process of MQTT. MQTT employs two authentication approaches to safeguard its system: certificate-based and credential-based authentication. Credential-based authentication is popular as it is easy to implement. However, in MQTT, credential-based authentication is vulnerable to various attacks as credentials are transmitted in plain-text form. In literature, authors have explored different cryptography-based solutions to address these challenges. However, implementing these solutions in IoT systems is impractical due to the substantial computational requirements at the broker and the end devices. The primary objective of this work centres around formulating a PUF-based authentication policy and designing an IDS to track the behaviour of incoming traffic. In the proposed authentication scheme, the PUF mechanisms generate credentials to establish authenticity, thus protecting the network from password-based vulnerabilities like dictionary-based attacks. The second security module of this research implements a Machine Learning based IDS system to track and block fake connect requests in real-time. The proposed IDS system comprises Decision Tree and Neural Network algorithms that operate in parallel. In order to maintain the lightweight nature of the ML model, the system incorporates a feature selection technique. The result section shows that the proposed system effectively and efficiently recognizes fake connect requests in real-time and consumes minimal energy. Additionally, the proposed scheme requires less time than existing schemes in the literature.