Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall on Sep 02, 2021
Content may be subject to copyright.
Mutual Authentication with Multi-
factor and Hybrid Approach to Intrusion
Detection in IoT-Fog-Cloud
Environment
Leandro Loffi
Cristiano Antonio de Souza
Carlos Becker Westphall
Carla Merkle Westphall
Renato Bobsin Machado
Federal University of Santa Catarina
Western Paraná State University
1
INFONOR 2021 - XII International Conference on Computing and Informatics of Northern Chile.
From September 1st to 3rd. Arica, Chile.
Summary -Mutual Authentication with Multi-factor
•Contextualization
•Problem
•Related Works
•Objectives
•Solution
•Scope
•Evaluation
•Result
•Analyze
•Conclusions
2
Contextualization -Mutual Authentication with Multi-factor
The IoT paradigm aims at the interconnection of physical
and logical objects, resulting in information to some
service (HALLER, KARNOUSKOS, SCHROTH, 2008).
The main characteristic of an IoT network are devices
that characterize a network of sensors and actuators
(XIA et al., 2012)
Source: www.freepik.com/index.php?goto=74&idfoto=1215808
3
Contextualization -Mutual Authentication with Multi-factor
Fog Computing is a layered model to enable ubiquitous access to scalable computing shared
resources (IORGA et al., 2018).
4
Source: nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-
325.pdf
Contextualization -Mutual Authentication with Multi-factor
Mutual Authentication refers in two parts authenticating each other at the same time
(OTWAY, REES, 1987).
5
Problem -Mutual Authentication with Multi-factor
As the first line of defense in an IoT network, the authentication addresses the problem of checking an identity
(SCHNEIER, 1995). 6
Problem -Mutual Authentication with Multi-factor
•Devices located at the edge of IoT networks
usually have low processing power and are
bounded by energy restrictions.
•Thus, these devices have limited resources
to implement security measures.
•If we consider the authentication as the
starting communication point between two
parts, using simple ID exchange, and/or
authentication methods without initial
parts verification, it is not considered
sufficient to guarantee the security.
7
Related Works -Mutual Authentication with Multi-factor
The previous work was subdivided into the following aspects:
•Simple: Single or one-way authentication;
•Mutual: Mutual or two-way authentication;
•IoT:Protocol applied in environments with memory constraint, considering the Fog
Computing contexts;
•Factors:Protocol that considers several factors for authentication (Not for IoT).
8
Related Works -Mutual Authentication with Multi-factor
Nº
Works
Simple
Mutual
IoT
Factors
1
º
(AMIN
et al., 2018) x - x -
2
º
(GOPE
et al., 2017) - x x -
3
º
(IBRAHIM,
2016) - x x -
4
º
(JAN
et al., 2017) - x x -
5
º
(KUMAR,
GANDHI, 2017) x - x -
6
º
(LI,
LIU, NEPAL, 2017) - x x -
7
º
(PIRAMUTHU,
DOSS, 2017) x - - x
8
º
(TEWARI,
GUPTA, 2017) - x x -
9
º
(WU
et al., 2018) - x x -
This
work - x x x
9
However, in general, these methods do not address in a combined way the
mutual authentication with simultaneous analysis of identification factors.
Objectives -Mutual Authentication with Multi-factor
The purpose of this work is to present an authentication model that will
authenticate the parties in an Internet of Things environment applied in the context
of Fog Computing.
Specific objectives:
1. Develop strategies of identification factors of the parties;
2. To p ropo se a met hod of mutual authentication with the developed factors;
3. Implement the proposed method in an Internet of Things environment in the
context of Fog Computing; and
4. Evaluate the mutual authentication model in the IoT environment that is
memory restricted in the involved parties.
10
Solution -Mutual Authentication with Multi-factor
11
Solution -Mutual Authentication with Multi-factor
•Red: Identification of Parties;
•Green: Asymmetric Key Exchange;
•Yellow : Symmetric Key Agreement;
•Blue: Encrypted Data. 12
Mutual Authentication Method
Solution -Mutual Authentication with Multi-factor
•Identification of Parties
•n = HASH(time | IDdest | IDorig | seq).
13
Solution -Mutual Authentication with Multi-factor
•Asymmetric Key Exchange
14
Solution -Mutual Authentication with Multi-factor
•Symmetric Key Agreement
15
Solution -Mutual Authentication with Multi-factor
•Encrypted Data
16
Scope -Mutual Authentication with Multi-factor
17
•Covers encryption methods:
•AES (Advanced Encryption Standard);
•RSA (R. Rivest, A. Shamir and L. Adleman);
•SHA256; and
•Diffie-Hellman.
•Architecture and platform:
•Raspberry Pi 3 of model B;
•FOG: notebook i7 of 8 core with Ubuntu
18.04 LTS and with 8 GB of RAM
•CLOUD: Google Cloud Compute Engin
with 1 core (Skylake CPU) with Ubuntu
18.04 LTS and with 8 GB of RAM Architecture evaluation
Evaluation -Mutual Authentication with Multi-factor
18
•The “Network” tab is related to the
network time between the peers.
•“Total Send” is the total time of
sending to the receiver.
•“Verification” is the total time for
checking the authentication factors.
•“Signature” is the time for signing
the parameters.
•“Nonce” is the time for creating a
new nonce.
•“Encryption” is the time for the
encryption of the data to be
trafficked.
•“Mount Pack” is the total time to
mount each shipping package, this is
related only to the first step
presented in the ”Step” tab.
Evaluation -Mutual Authentication with Multi-factor
19
Processing time of each step
•The time for each step of the authentication
processing is displayed. The lower numbers are
each step shown in the Mutual Authentication
Method.
Evaluation -Mutual Authentication with Multi-factor
20
View of disk and network consumption
Evaluation -Mutual Authentication with Multi-factor
21
Evaluation with CL-AtSe and OFMC
•We simulate the proposed scheme using formal security verification through the broadly accepted AVISPA
tool (ARMANDO et al., 2006).
•The AVISPA (Automated Validation of Internet Security-sensitive Protocols and Applications) tool only
detects if a security protocol is secure against the replay and man-in-the-middle attacks.
Result -Mutual Authentication with Multi-factor
22
Example of Factor Authentication
Analyze -Mutual Authentication with Multi-factor
23
•Performance Evaluation:
•In Table III and IV:
•Clearly, it can be seen in Table III and IV that the network time depends very much on the
location.
•In the context of Cloud Computing a variation of more than 1 millisecond occurred in
some steps to the previous ones.
•Justifying that different routes may occur between the client and the server.
•In Graph 1 -Processing time of each step:
•You can see that the longest time belongs to the client because it has lower processor
power.
•Another point that can be analyzed, is that the Cloud was high in processing than the Fog
environment, because it is place with high processing power.
Conclusion -Mutual Authentication with Multi-factor
24
Conclusion -Mutual Authentication with Multi-factor
•A new mutual authentication model was introduced in IoT environments for the Fog Computing contexts.
•Authentication is performed during the handshake, more specifically during the verification of the Authentication
Factors: Challenge-Response Function, Response Time and Nonce.
•The work presented some limitations. In terms of suitable algorithms, it does not present high performance in
data encryption with the AES algorithm library.
•The combination of mutual authentication and different factors in an IoT environment is a contribution of this
paper. Related works summarized in Table I do not combine mutual authentication and different factors in their
proposals. They do not describe any performance results. Consequently, it is not possible to compare
performance findings obtained in this paper with any other related work.
•It is proposed to improve the model with the use of several types of ciphers, using handshake suites, similar to
that used in TLS (Transport Layer Security) / SSL (Secure Sockets Layer).
25
title = {Mutual authentication with multi-factor in IoT-Fog-Cloud environment},
journal = {Journal of Network and Computer Applications},
volume = {176},
pages = {102932},
year = {2021},
issn = {1084-8045},
doi = {https://doi.org/10.1016/j.jnca.2020.102932},
url = {https://www.sciencedirect.com/science/article/pii/S108480452030391X},
author = {Leandro Loffi and Carla Merkle Westphall and Lukas Derner Grüdtner and
Carlos Becker Westphall},
Reference -Mutual Authentication with Multi-factor
26
Summary -Hybrid Approach to Intrusion Detection
27
•Contextualization
•Problem
•Related Works
•Objectives
•Solution
•Evaluation
•Conclusions
•Tec h n ological expansion;
•Increased computational incidents:
•Attack against provider Dyn 2016 (Botnet Mirai) (Kolias et al., 2017);
•Internet of Things (IoT) (ATZORI, IERA, MORABITO, 2010);
•Security has great importance in IoT (Roman, Lopez, Mambo, 2018).
Contextualization -Hybrid Approach to Intrusion
Detection
28
Contextualization -Hybrid Approach to Intrusion
Detection
29
•Intrusion;
•Intrusion Detection System (IDS);
•Intrusion Detection and Prevention System (IDPS);
•Types of detection methods (Mitchell and Chen, 2014):
•Signature;
•Anomaly;
•Specification.
Problem -Hybrid Approach to Intrusion Detection
30
•Vulnerabilities in fog and IoT:
•Heterogeneous environment;
•Resource restrictions;
•High number of devices;
•Some threats present in the fog and IoT environment:
•Threats during manufacturing, installation, maintenance;
•Denial of Service (DoS) and Distributed DoS (DDoS);
•Man-In-The-Middle (MITM);
•Routing attacks;
•Conventional attacks.
•Need to detect attack and execute countermeasures;
•Need to detect the type of attack;
•Execution of countermeasures;
•Alert for network manager.
Related Works -Hybrid Approach to Intrusion Detection
31
Works
Multiclass
2Step
Method
Observations
Prabavathy
et al. (2018)x - OS-ELM Low accuracy for some types of attacks
Diro
et al. (2018) x - DNN Low accuracy for some types of attacks
Li et al. (2018)
- - KNN Computational cost can be high
Pajouh
et al. (2019) x - KNN Computational cost can be high
Xu
, Qian and Hu (2019) x - SVM It only addresses DoS and probing
Priyadarshini
and Barik (2019) - - LSTM Focused only on DDoS
Almiani
et al. (2020) x - RNN Average accuracy for some types of attacks
Zhong
et al. (2020) - - LSTM Not designed for fog computing
Atefi
et al. (2020)- - DNN Few experiments performed for evaluation
This
work x x DNN-KNN KNN computational cost reduction
Related Works -Hybrid Approach to Intrusion Detection
32
•Some works focus on binary detection:
•It is not possible to identify the type of attack;
•Existing multi-class approaches:
•Lower accuracy than binary methods;
•Low accuracy for some types of attacks;
•Robust methods in fog can consume a lot of resources;
•Analysis in the cloud has the problem of latency.
Objectives - Hybrid Approach to Intrusion Detection
33
•Propose ahybrid and hierarchical approach based on fog and cloud computing for
intrusion detection and prevention in IoT environments.The approach focuses on
detecting the specific category of attack as well as implementing the appropriate
countermeasures to mitigate it.
•Propose an intrusion detection approach based on binary and multiclass
detection;
•Propose binary method for the first detection step;
•Propose multiclass method for the identification step;
•Generate and implement amapping between IoT attacks and appropriate
mitigation countermeasures.
Solution -Hybrid Approach to Intrusion Detection
34
Solution -Hybrid Approach to Intrusion Detection
35
•Approach to attack type detection and threat mitigation;
•Consisting of 3 steps;
•Combines binary detection and multiclass detection to identify the type of
attack:
•Detection (binary detection);
•Identification (multiclass detection).
Solution -Hybrid Approach to Intrusion Detection
36
•Hierarchical architecture:
•Fog;
•Cloud;
•Multiclass classifier can be a more
robust method.
Solution -Hybrid Approach to Intrusion Detection
37
•DNN-kNN method:
•Hybrid approach with Deep Neural Network (DNN) and k-Nearest Neighbor (kNN).
Solution -Hybrid Approach to Intrusion Detection
38
•Artificial Neural Networks (ANN):
•Biological inspiration;
•Artificial neuron;
•Deep Neural Networks (DNN);
•Training;
•Good accuracy;
•May suffer from instabilities.
Solution -Hybrid Approach to Intrusion Detection
39
•DNN
•Multilayer Perceptron Feed-foward;
•Two hidden layers;
•Hyperbolic tangent;
•Output layer:
•Two neurons;
•Softmax.
Solution -Hybrid Approach to Intrusion Detection
40
•k-Nearest Neighbors (kNN):
•Instance-based learning;
•Classification based on similarity of instances;
•Majority class among the k nearest neighbors;
•Does not generate model;
•Usually has small error rate;
•Higher computational cost.
•It was considered k = 1:
•Classification according to nearest neighbor;
•Euclidean Distance:
•Base of examples structured in K-D Tree:
•K-Dimensional Tree.
Solution -Hybrid Approach to Intrusion Detection
41
Solution -Hybrid Approach to Intrusion Detection
42
•Training process:
Evaluation -Hybrid Approach to Intrusion Detection
43
•Experiments to assess the feasibility of applying the method in a real
environment:
•NSL-KDD and CICIDS2017 database;
•Cross-validation 10 folds;
•The results of the experiment can be organized as follows:
•False Negative (FN);
•False Positive (FP);
•True Negatives (TN);
•True Positive (TP).
Evaluation -Hybrid Approach to Intrusion Detection
44
•Performance Metrics:
•Accuracy:the proportion of instances correctly classified
in relation to the total of instances;
•Error: the proportion of incorrectly classified instances in
relation to the total of instances;
•Precision:proportion of instances correctly detected as
intrusive among all detected as intrusive;
•Recall:number of instances correctly classified as
intrusive among all intrusive instances;
•True Negative Rate (TNR):number of instances correctly
classified as benign, among all benign instances;
•F-score:is the harmonic mean of accuracy and recall,
where it reaches its best value at 1and worst at 0;
•Matthews Correlation Coefficient (MCC):is used as a
measure of the quality of binary classifications.Where -1
indicates acompletely wrong binary classifier, while 1
indicates acompletely correct binary classifier.
Evaluation -Hybrid Approach to Intrusion Detection
45
•Comparison of the results of different learning methods in experiments
with the NSL-KDD database:
Deep Neural Network (DNN), k-Nearest Neighbor (kNN), Support Vector Machine (SVM), Decision Tree (DT) e Random Forest (RF).
Evaluation -Hybrid Approach to Intrusion Detection
46
•Comparison with different machine learning methods:
Evaluation -Hybrid Approach to Intrusion Detection
47
•DNN-kNN and kNN performed very well on the previous metrics;
•Computational cost of kNN is high;
•Processing time analysis to classify 12597 examples from the NSL-KDD
base:
Evaluation -Hybrid Approach to Intrusion Detection
48
•Comparison of results from different related works in experiments with the
NSL-KDD database.
Evaluation -Hybrid Approach to Intrusion Detection
49
•Performance comparison of different recents approaches with the
CICIDS2017 Friday Afternoon DDoS dataset:
Evaluation -Hybrid Approach to Intrusion Detection
50
•Performance comparison of different recent approaches with the
CICIDS2017 Wednesday DoS dataset:
Conclusions - Hybrid Approach to Intrusion Detection
51
•We present the two-step approach for detecting and identifying intrusions
in IoT and Fog computing;
•We propose the DNN-kNN, a hybrid binary classification method with high
accuracy and detection rates to compose the first level of the approach;
•DNN-kNN obtained promising results in relation to classic machine learning
methods and in relation to state-of-the-art works in the evaluation with the
NSL-KDD and CICIDS2017 databases;
•As future works, we highlight the design of the method to compose the
second level and also the design of the countermeasure approach.
title = {Hybrid approach to intrusion detection in fog-based IoT environments},
journal = {Computer Networks},
volume = {180},
pages = {107417},
year = {2020},
issn = {1389-1286},
doi = {https://doi.org/10.1016/j.comnet.2020.107417},
url = {https://www.sciencedirect.com/science/article/pii/S1389128619315439},
author = {Cristiano Antonio {de Souza} and Carlos Becker Westphall and Renato
Bobsin Machado and João Bosco Mangueira Sobral and Gustavo dos Santos Vieira},
Reference -Hybrid Approach to Intrusion Detection
52
Thank you very much!
leandro.loffi@posgrad.ufsc.br
cristiano.souza.c@posgrad.ufsc.br
carlos.westphall@ufsc.br
carla.merkle.westphall@ufsc.br
renato.machado@unioeste.br
53