New Techniques for Protection of IoT Devices From Malicious Behavior using Working Set Based System Call Whitelisting and Argument Clustering
Abstract - The rapid evolution of Industry 4.0 and the spread of Internet of Things (IoT), is supporting the growth of cyber-physical systems for societal applications. It is challenging to design secure IoT devices, due to constrained computational and storage resources. The vulnerabilities in the deployed IoT devices are exploited by the attackers for carrying out malicious activities. Various anomaly detection approaches are proposed in literature for detecting malicious behavior at runtime. However they are not suitable for resource constrained IoT devices. In this paper, we propose new techniques for detecting runtime intrusions and protecting IoT devices using working set based system call whitelisting and argument clustering. Proposed system call whitelisting technique separates system call whitelists of initialization and service phases of field deployed IoT device, resulting in the reduced attack surface. We evaluated the proposed technique on Tenda AC15 version 15.03.05.19 for Telnet service. The experimental results show that the proposed working set based system call whitelisting successfully reduced 44% of system calls during the initialization phase and 40% of system calls during service phase. In addition to this, we used system call argument clustering technique, to augment the detection of malicious behavior which is injected at runtime through modifying the arguments of whitelisted system calls.
Keywords - IoT Security, Malicious Behavior, Whitelisting, Working Set, Argument Clustering, Attack Surface