Dynamic System Diversification for Securing Cloud-based IoT Subnetworks
Remote exploitation attacks use software vulnerabilities to penetrate
through a network of Internet of Things (IoT) devices.
This work addresses defending against remote exploitation attacks on
vulnerable IoT devices. As an attack mitigation strategy,
we assume it is not possible to fix all the vulnerabilities and propose
to diversify the open-source software used to manage IoT devices.
Our approach is to deploy dynamic cloud-based virtual machine proxies
for physical IoT devices.
Our architecture leverages virtual machine proxies with diverse
software configurations to mitigate vulnerable and static software
configurations on physical devices. We develop an algorithm for
selecting new configurations based on network anomaly detection
signals to learn vulnerable software configurations on IoT devices,
automatically shifting towards more secure configurations.
Cloud-based proxy machines mediate requests between application
clients and vulnerable IoT devices, facilitating a dynamic diversification system.
We report on simulation experiments to evaluate the dynamic system.
Two models of powerful adversaries are introduced and simulated against
the diversified defense strategy.
Our experiments show that a dynamically diversified IoT architecture can
be invulnerable to large classes of attacks that would succeed against
a static architecture.
Almohri, H. M. J., Watson, L. T., Evans, D., and Billups, S. “Dynamic System Diversification for Securing Cloud-based IoT Subnetworks.” ACM Transactions on Autonomous and Adaptive Systems, vol. 17, no. 1–2, 2022, Article 2, pp. 1–23.