CICADA: Cloud-based Intelligent Classification and Active Defense Approach for IoT Security

Internet of Things (IoT) devices capture and process sensitive personally identifiable information such as e.g., camera feeds/health data from enterprises and households. These devices are becoming targets of prominent attacks such as Distributed-Denial-of-Service (DDoS) and Botnets, as well as sophisticated attacks (e.g., Zero Click) that are elusive by design. There is a need for cyber deception techniques that can automate attack impact mitigation at the scale that IoT networks demand. In this paper, we present a novel cloud-based active defense approach viz., “CICADA”, to detect and counter attacks that target vulnerable IoT networks. Specifically, we propose a multi-model detection engine featuring a pipeline of machine/deep learning classifiers to label inbound packet flows. In addition, we devise an edge-based defense engine that utilizes three simulated deception environments (Honeynet, Pseudocomb, and Honeyclone) with increasing pretense capabilities to deceive the attacker and lower the attack risk. Our deception environments are based on a CFO triad (cost, fidelity, observability) for designing system architectures to handle attacks with diverse detection characteristics. We evaluate the effectiveness of these architectures on an enterprise IoT network setting with a scale of thousands of devices. Our detection results show ≃73% accuracy for the low observability attack (Zero Click) corresponding to the BleedingTooth exploit that allows for unauthenticated remote attacks on vulnerable devices. Furthermore, we evaluate the different deception environments based on their risk mitigation potential and associated costs. Our simulation results show that the Honeyclone is able to reduce risk by ≃88% when compared to a network without any defenses.