MARS:物联网事件响应的第一道防线

IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Karley M. Waguespack , Kaitlyn J. Smith , Olame A. Muliri , Ramyapandian Vijayakanthan , Aisha Ali-Gombe
{"title":"MARS:物联网事件响应的第一道防线","authors":"Karley M. Waguespack ,&nbsp;Kaitlyn J. Smith ,&nbsp;Olame A. Muliri ,&nbsp;Ramyapandian Vijayakanthan ,&nbsp;Aisha Ali-Gombe","doi":"10.1016/j.fsidi.2024.301754","DOIUrl":null,"url":null,"abstract":"<div><p>The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled <em>MARS</em> (Memory Anomaly Recognition System). <em>MARS</em> is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of <em>MARS</em> leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, <em>MARS</em> is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes <em>MARS</em> tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the <em>MARS</em> prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000738/pdfft?md5=09a1fb9a920fb8dccb2a5090d50aa3bd&pid=1-s2.0-S2666281724000738-main.pdf","citationCount":"0","resultStr":"{\"title\":\"MARS: The first line of defense for IoT incident response\",\"authors\":\"Karley M. Waguespack ,&nbsp;Kaitlyn J. Smith ,&nbsp;Olame A. Muliri ,&nbsp;Ramyapandian Vijayakanthan ,&nbsp;Aisha Ali-Gombe\",\"doi\":\"10.1016/j.fsidi.2024.301754\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled <em>MARS</em> (Memory Anomaly Recognition System). <em>MARS</em> is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of <em>MARS</em> leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, <em>MARS</em> is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes <em>MARS</em> tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the <em>MARS</em> prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.</p></div>\",\"PeriodicalId\":48481,\"journal\":{\"name\":\"Forensic Science International-Digital Investigation\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2024-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2666281724000738/pdfft?md5=09a1fb9a920fb8dccb2a5090d50aa3bd&pid=1-s2.0-S2666281724000738-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Forensic Science International-Digital Investigation\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2666281724000738\",\"RegionNum\":4,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281724000738","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

物联网(IoT)设备在家庭、企业和工业领域的普及大大提高了我们收集数据和自动执行任务的能力。尽管这些设备无处不在,但它们的资源明显有限,而且经常缺乏强大的安全防御功能,从而带来了巨大的入侵和网络威胁风险。为了解决这些问题,我们提出了一种专门针对物联网设备设计的新型异常主机入侵检测系统,名为 MARS(内存异常识别系统)。MARS 的设计初衷是作为事件响应框架中的重要组成部分,充当组织网络或系统中潜在安全漏洞的早期检测系统。MARS 的基本架构利用设备内存作为监控系统级事件的关键指标。为了增强其安全性和完整性,MARS 被嵌入了一个可信执行环境--一个微控制器的安全、硬件隔离区域,不受不受信任软件的影响。这种设计选择不仅使 MARS 防篡改,还确保了对设备内存的可靠监控。通过远程服务器上的异常检测算法,可以检测到与既定内存基线的偏差,这表明存在安全隐患。我们在 STM32L562QEI6QU 上对 MARS 原型进行了评估,结果表明我们提出的架构可以实现良好的可扩展性,同时保持内存变化的可信度、准确性和稳健性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
MARS: The first line of defense for IoT incident response

The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled MARS (Memory Anomaly Recognition System). MARS is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of MARS leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, MARS is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes MARS tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the MARS prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
CiteScore
5.90
自引率
15.00%
发文量
87
审稿时长
76 days
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信