Securing Home IoT Environments with Attribute-Based Access Control

Slides:



Advertisements
Similar presentations
Defending against Sniffing Attacks on Mobile Phones Liang Cai (University of California, Davis), Sridhar Machiraju (Sprint Applied Research), Hao Chen.
Advertisements

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Computer Security: Principles and Practice
C ONTENTS 1-Introduction What are smart homes 2-Why smart homes 3- Applications of smart homes 4- The main objective of the project 5- The main phases.
Department Of Computer Engineering
© Siemens 2006 All Rights Reserved 1 Challenges and Limitations in a Back-End Controlled SmartHome Thesis Work Presentation Niklas Salmela Supervisor:
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Monitoring Architecture for Lawful Interception in VoIP Networks Second International Conference on Internet Monitoring and Protection (ICIMP 2007), IEEE.
Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.
11 World-Leading Research with Real-World Impact! Risk-Aware RBAC Sessions Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security.
A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
Role Of Network IDS in Network Perimeter Defense.
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:
Context-Aware Middleware for Resource Management in the Wireless Internet US Lab 신현정.
Introduction to Mobile-Cloud Computing. What is Mobile Cloud Computing? an infrastructure where both the data storage and processing happen outside of.
Engineering, 7th edition. Chapter 8 Slide 1 System models.
Presented By: Smriti Bhatt
Database and Cloud Security
SDN challenges Deployment challenges
Resource subscription using DDS in oneM2M
A brief introduction to IoT gateway
Issues need harmonization
Instructor Materials Chapter 6 Building a Home Network
Lan Zhou, Vijay Varadharajan, and Michael Hitchens
Using E-Business Suite Attachments
Networking Devices.
Institute for Cyber Security
NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.
Institute for Cyber Security
1st Draft for Defining IoT (1)
World-Leading Research with Real-World Impact!
Abstract descriptions of systems whose requirements are being analysed
Test Automation for IoT solutions A Paradigm shift
Home Automation System
Chapter 4: Switched Networks
CHAPTER 2 CREATING AN ARCHITECTURAL DESIGN.
SMART BUILDING WITH INDOOR NAVIGATION SYSTEM -using iot
Internet of Things
Ch > 28.4.
IS4550 Security Policies and Implementation
A Novel Framework for Software Defined Wireless Body Area Network
Securing Cloud-Native Applications Jason Schmitt CEO
Internet of Things Vulnerabilities
World-Leading Research with Real-World Impact!
Chapter 19: Building Systems with Assurance
IS4680 Security Auditing for Compliance
Systems Analysis and Design in a Changing World, 6th Edition
Rejina Basnet, Subhojeet Mukherjee, Vignesh M. Pagadala, Indrakshi Ray
Analysis models and design models
An Introduction to Software Architecture
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Module 2 OBJECTIVE 14: Compare various security mechanisms.
IOT Acronym as “Internet Of Things”
Design Yaodong Bi.
Use Case Analysis – continued
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Access Controls in Smart Cars: Needs and Solutions
Access Control What’s New?
Requirements Analysis
Software Development Process Using UML Recap
Microsoft Virtual Academy
Presentation transcript:

Securing Home IoT Environments with Attribute-Based Access Control Bruhadeshwar Bezawada Kyle Haefner Indrakshi Ray 3rd ACM Workshop on ABAC (CODASPYW)

Introduction The home Internet-of-Things ecosystem is growing rapidly Technology reports estimate about 500 devices per household by 2020 Home IoT environments have three key features Dynamic: devices added and/or removed over time Collaborative: devices interact and interfere Heterogeneous: multiple device-types, protocols and functionality Security is a critical requirement

Home IoT Eco-system: Bird’s Eye-view Smart Bulb Smart Thermostat Mobile App Based Control Smart Lock SecurityCam Security Monitoring System Part of image from: https://www.energymatters.com.au/energy-efficiency/smart-home-automation/

Home IoT Eco-system: Bird’s Eye-view Security-cam: provides video surveillance and connects to the home owner via Internet/LAN Smart-lock: provides locking capability and can be turned on/off remotely by home owner Smart-thermostat: adjusts the temperature setting automatically and can be configured via Internet Video-bell: provides video of anyone ringing the bell and sends such data to home owner over Internet Mobile apps: usually pair with devices and control them

Device Interactions The security monitoring system could query motion sensors/security-cam for status updates A mobile phone app can turn on Microwave at a predetermined time The smart fridge can query temperature sensors for adjusting the cooling level A video-bell provides periodic updates to the home owner

Security Scenarios Unauthorized external data requests: results in privacy violation of household Malware: Can be found in untrusted devices leading to data leakage or network disruption Cross-user interference: trying to control a device at the same time Misconfigurations: Misconfigured devices causing undesired disruptions Device additions: Newer devices might affect stability of network operations

Proposed Approach: Attribute-Based Access Control for Home IoT Networks Attributes associated with entities are used to make policy decisions; changing attributes changes policies Our Approach: ABAC; most suitable for a diverse and dynamic environment like Home IoT Network Other models like RBAC, CapBAC, and TBAC have inherent shortcomings Modeling Home IoT in ABAC is a challenge

Related Work Role-Based Access Control Models Inflexible and difficult to adapt to home IoT dynamics E.g. Parent wanting allow child to access Internet only when parent is at home Capability-Based Access Control Models Individual devices are responsible for policy decisions For home IoT resource constraints make this difficult Flow-containment Models Enforcing network level control by observing anomalous flows Cannot express flows in natural language or be flexible in applying attribute-based flows

ABAC Model: Basics ABAC Entities Policy format: Subject : Entity initiating access request Object : resource on which the access request is made Action : The action requested on the resource Environment : The context of the access request Policy format: <Subject (attributes), Object (attributes), Environment(attributes), Action> NIST NGAC is a reference implementation of ABAC NGAC treats attributes and entities as containers and defines associations across them

Proposed Approach We plan to leverage the NIST NGAC model to secure Home IoT environment NGAC features like containers, inheritance, and obligations are valuable to realize usable security Our goal is to specify high level user policies and enforce them using network level information Our approach consists of the following: Entities and Attributes Description Home IoT domain pertinent Policy Specification ABAC-IoT Implementation Architecture

ABAC Model for IoT: Entities and Attributes (sample shown) Subjects Human User: <Role, Age, Login name> Process: <Type of process, Type of initiating device> Device : <Device identifier, Device priority> Objects Device: <Device type, Device Identifier> Information: <Content-type, Data Size> Any resource needing protection Environment <GPS, Logical-names, Time> Operations <send-data, send-control, read-data, read-control>

Home IoT Policy Specification We specify the policy categories suited for Home IoT characteristics Dynamic : Device-type Agnostic Policies; to handle addition of new devices Usability: Quality-of-Experience Policies; to avoid cross-device interference Network stability: Network Behavior Policies; to ensure network stability Untrusted devices: Co-located Device Policies; to protect against co-located malicious devices

Illustration: Device-Type Agnostic Policy High-level policy description: “A device cannot send control data to another device unless it is an authorized monitoring device”

Examples of Policies Quality-of-Experience Network Behavior “only one app should be connected and in control of one device for the duration of the connection establishment” Network Behavior “a non-control device cannot initiate connections to all devices in the network” Controlling Malicious devices “non-control device cannot communicate with another device on network”

ABAC-IoT Implementation Architecture We integrate NIST NGAC with the network switching architecture Our implementation includes an attribute management module that integrates with the PIP of NIST NGAC The architecture consists of a fingerprinting module that will extract attributes of unknown devices Policy enforcement is done at the packet (per packet) or flow level (group of packets)

Policy Enforcement Architecture

ABAC-IoT Implementation Architecture Switching module: Has access to all network traffic from the IoT devices Fingerprint module: ascertains a device attributes through machine learning algorithms Flow monitor module: is used to assign attributes to network flows and triggers policies on flows Attribute management framework: manages attributes of entities and integrates with NIST NGAC to provide up to date attributes

Future Work Task 1: Generic Policy Specification and Generation Approach 1: Laboratory experiment Approach 2: Using CVE database analysis Task 2 : Attribute Management Framework User Attributes Device Attributes Network Traffic Attributes Task 3 : Policy Enforcement Architecture Policy decision point

Summary We described the first approach for using ABAC in Home IoT environments We enumerated several possible attributes and identified the different types of policies We described an enforcement architecture for the ABAC policies Our future work involves developing the architecture and designing policies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.