Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Home IoT Environments with Attribute-Based Access Control

Published byBaldric Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing Home IoT Environments with Attribute-Based Access Control"— Presentation transcript:

1 Securing Home IoT Environments with Attribute-Based Access Control
Bruhadeshwar Bezawada Kyle Haefner Indrakshi Ray 3rd ACM Workshop on ABAC (CODASPYW)

2 Introduction The home Internet-of-Things ecosystem is growing rapidly
Technology reports estimate about 500 devices per household by 2020 Home IoT environments have three key features Dynamic: devices added and/or removed over time Collaborative: devices interact and interfere Heterogeneous: multiple device-types, protocols and functionality Security is a critical requirement

3 Home IoT Eco-system: Bird’s Eye-view
Smart Bulb Smart Thermostat Mobile App Based Control Smart Lock SecurityCam Security Monitoring System Part of image from:

4 Home IoT Eco-system: Bird’s Eye-view
Security-cam: provides video surveillance and connects to the home owner via Internet/LAN Smart-lock: provides locking capability and can be turned on/off remotely by home owner Smart-thermostat: adjusts the temperature setting automatically and can be configured via Internet Video-bell: provides video of anyone ringing the bell and sends such data to home owner over Internet Mobile apps: usually pair with devices and control them

5 Device Interactions The security monitoring system could query motion sensors/security-cam for status updates A mobile phone app can turn on Microwave at a predetermined time The smart fridge can query temperature sensors for adjusting the cooling level A video-bell provides periodic updates to the home owner

6 Security Scenarios Unauthorized external data requests: results in privacy violation of household Malware: Can be found in untrusted devices leading to data leakage or network disruption Cross-user interference: trying to control a device at the same time Misconfigurations: Misconfigured devices causing undesired disruptions Device additions: Newer devices might affect stability of network operations

7 Proposed Approach: Attribute-Based Access Control for Home IoT Networks
Attributes associated with entities are used to make policy decisions; changing attributes changes policies Our Approach: ABAC; most suitable for a diverse and dynamic environment like Home IoT Network Other models like RBAC, CapBAC, and TBAC have inherent shortcomings Modeling Home IoT in ABAC is a challenge

8 Related Work Role-Based Access Control Models
Inflexible and difficult to adapt to home IoT dynamics E.g. Parent wanting allow child to access Internet only when parent is at home Capability-Based Access Control Models Individual devices are responsible for policy decisions For home IoT resource constraints make this difficult Flow-containment Models Enforcing network level control by observing anomalous flows Cannot express flows in natural language or be flexible in applying attribute-based flows

9 ABAC Model: Basics ABAC Entities Policy format:
Subject : Entity initiating access request Object : resource on which the access request is made Action : The action requested on the resource Environment : The context of the access request Policy format: <Subject (attributes), Object (attributes), Environment(attributes), Action> NIST NGAC is a reference implementation of ABAC NGAC treats attributes and entities as containers and defines associations across them

10 Proposed Approach We plan to leverage the NIST NGAC model to secure Home IoT environment NGAC features like containers, inheritance, and obligations are valuable to realize usable security Our goal is to specify high level user policies and enforce them using network level information Our approach consists of the following: Entities and Attributes Description Home IoT domain pertinent Policy Specification ABAC-IoT Implementation Architecture

11 ABAC Model for IoT: Entities and Attributes (sample shown)
Subjects Human User: <Role, Age, Login name> Process: <Type of process, Type of initiating device> Device : <Device identifier, Device priority> Objects Device: <Device type, Device Identifier> Information: <Content-type, Data Size> Any resource needing protection Environment <GPS, Logical-names, Time> Operations <send-data, send-control, read-data, read-control>

12 Home IoT Policy Specification
We specify the policy categories suited for Home IoT characteristics Dynamic : Device-type Agnostic Policies; to handle addition of new devices Usability: Quality-of-Experience Policies; to avoid cross-device interference Network stability: Network Behavior Policies; to ensure network stability Untrusted devices: Co-located Device Policies; to protect against co-located malicious devices

13 Illustration: Device-Type Agnostic Policy
High-level policy description: “A device cannot send control data to another device unless it is an authorized monitoring device”

14 Examples of Policies Quality-of-Experience Network Behavior
“only one app should be connected and in control of one device for the duration of the connection establishment” Network Behavior “a non-control device cannot initiate connections to all devices in the network” Controlling Malicious devices “non-control device cannot communicate with another device on network”

15 ABAC-IoT Implementation Architecture
We integrate NIST NGAC with the network switching architecture Our implementation includes an attribute management module that integrates with the PIP of NIST NGAC The architecture consists of a fingerprinting module that will extract attributes of unknown devices Policy enforcement is done at the packet (per packet) or flow level (group of packets)

16 Policy Enforcement Architecture

17 ABAC-IoT Implementation Architecture
Switching module: Has access to all network traffic from the IoT devices Fingerprint module: ascertains a device attributes through machine learning algorithms Flow monitor module: is used to assign attributes to network flows and triggers policies on flows Attribute management framework: manages attributes of entities and integrates with NIST NGAC to provide up to date attributes

18 Future Work Task 1: Generic Policy Specification and Generation
Approach 1: Laboratory experiment Approach 2: Using CVE database analysis Task 2 : Attribute Management Framework User Attributes Device Attributes Network Traffic Attributes Task 3 : Policy Enforcement Architecture Policy decision point

19 Summary We described the first approach for using ABAC in Home IoT environments We enumerated several possible attributes and identified the different types of policies We described an enforcement architecture for the ABAC policies Our future work involves developing the architecture and designing policies

Download ppt "Securing Home IoT Environments with Attribute-Based Access Control"

Similar presentations

Defending against Sniffing Attacks on Mobile Phones Liang Cai (University of California, Davis), Sridhar Machiraju (Sprint Applied Research), Hao Chen.

Defending against Sniffing Attacks on Mobile Phones Liang Cai (University of California, Davis), Sridhar Machiraju (Sprint Applied Research), Hao Chen.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
C ONTENTS 1-Introduction What are smart homes 2-Why smart homes 3- Applications of smart homes 4- The main objective of the project 5- The main phases.

C ONTENTS 1-Introduction What are smart homes 2-Why smart homes 3- Applications of smart homes 4- The main objective of the project 5- The main phases.
Department Of Computer Engineering

Department Of Computer Engineering
© Siemens 2006 All Rights Reserved 1 Challenges and Limitations in a Back-End Controlled SmartHome Thesis Work Presentation 06.06.2006 Niklas Salmela Supervisor:

© Siemens 2006 All Rights Reserved 1 Challenges and Limitations in a Back-End Controlled SmartHome Thesis Work Presentation Niklas Salmela Supervisor:
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Monitoring Architecture for Lawful Interception in VoIP Networks Second International Conference on Internet Monitoring and Protection (ICIMP 2007), IEEE.

Monitoring Architecture for Lawful Interception in VoIP Networks Second International Conference on Internet Monitoring and Protection (ICIMP 2007), IEEE.
Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.

Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.
11 World-Leading Research with Real-World Impact! Risk-Aware RBAC Sessions Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security.

11 World-Leading Research with Real-World Impact! Risk-Aware RBAC Sessions Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security.
A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.

A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.

Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.

Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.

Similar presentations

Ads by Google