Intelligent threat detection in internet of things environments

• Autores: José Roldán Gómez
• Directores de la Tesis: Jose Luis Martinez Martinez (dir. tes.) , Juan Boubeta Puig (codir. tes.)
• Lectura: En la Universidad de Castilla-La Mancha ( España ) en 2023
• Idioma: inglés
• Tribunal Calificador de la Tesis: Enrique Arias (presid.) , Ángel Jesús Varela Vaca (secret.) , María Laura González López (voc.)
• Enlaces
  • Tesis en acceso abierto en: RUIdeRA
• Resumen

  • The Internet of Things (IoT) has experienced a dizzying growth. The applications of the IoT are many and diverse, ranging from enabling a smart home to monitoring industrial processes to optimizing traffic patterns. This unprecedented growth has caused it to become a very attractive target for cyber criminals. This is especially worrisome in this paradigm because there are certain intrinsic limitations. Among these are the fact that the devices involved are often resource-constrained, which means that they have little processing power and memory. This makes them difficult to protect. Additionally, these devices are often not well-maintained, meaning that they might be using outdated software that is vulnerable to known exploits. It is therefore necessary to design new solutions or adapt traditional solutions that take into account the characteristics of the paradigm. The objective of this PhD thesis is to design, implement and evaluate an architecture that allows the detection of known and unknown threats in IoT environments in real time. Furthermore, it is intended that this architecture can detect such attacks with the least possible intervention.

    Complex Event Processing (CEP) allows the processing and correlation of a large amount of data in real time. To achieve this, an expert defines a set of rules, called CEP rules, and when simple events, which contain information necessary to detect situations of interest, comply with these rules, a complex event is triggered.

    First, an architecture capable of generating CEP rules to detect IoT threats in real time is designed, implemented and evaluated. However, this architecture requires an expert to specify the most important fields of the protocols to be monitored. It is also necessary that the network traffic, with which we train our architecture, is labeled, i.e., that the architecture knows which packets are attacks when training.

    So next, the above architecture is improved by eliminating the need for a domain expert to identify key fields , and then it is updated to enable it to generate the rules without the need for tagged traffic. The results obtained throughout the Thesis support the viability of all the proposals we present, as they show that the different architectures achieve good results from a functional and performance point of view. We can conclude that the proposals described are viable.