Towards Actionable Security Guidelines for IoT Compliance Auditing and Integration with Trustworthiness

制定物联网合规性审计和可信度集成的可行安全指南

• 批准号: 577183-2022
• 负责人: Majumdar, SuryadiptaS
• 金额: $ 3.28万
• 依托单位: Concordia University
• 依托单位国家: 加拿大
• 项目类别: Alliance Grants
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=750635
• 关键词: Towards; Actionable; Security; Guidelines; IoT

There has been a significant increase in the deployments of the Internet of Things (IoT) devices over the last few years. Security, however, has lagged behind, as evidenced by the increasing number of attacks that target IoT devices (e.g., an arson that uses a smart oven, burglary via a smart lock), which may lead to as severe consequences as, not to mention sometimes more than, those targeting conventional devices. Nowadays, IoT devices tend to be trusted with more personal and security-critical data, although with relatively less computing power. Common causes of those attacks include but are not limited to software vulnerabilities and misconfigurations. Another important contributor is the multiparty model of the IoT device lifecycle, e.g., what the vendor/developer left as "defaults" might not match a security-unaware user's situation. Despite existing efforts, mitigating such security threats still remains challenging mainly for the following reasons: 1) current IoT security recommendations (e.g., NIST, ENISA) are too high-level to produce actionable items for enforcement/auditing; 2) those recommendations are not also expressed using system-level data so that the developers and manufacturers of IoT devices can easily integrate them into the device implementation; 3) most IoT devices lack sufficient storage and computational capabilities to conduct compliance auditing (e.g., using formal methods); and 4) collecting data from those devices, which frequently generate/collect sensitive information, introduces new privacy concerns.This proposed program seeks to overcome those challenges and develop an AI-enhanced security framework for IoT devices to benefit from the security recommendations/standards in an automated manner. The objectives of this program are to: (i) derive actionable security guidelines by bridging the gap between the high-level recommendations and low-level system technicality; (ii) overcome the resource constraint and privacy concerns about data sharing; (iii) provide trustworthiness assurance for either the integration of those guidelines during the development/manufacturing phase, or the compliance auditing thereof, of the user's choice. In pursuit of these objectives, the proposed research will be conducted through several major research thrusts. First, we will build an automated solution to translate high-level recommendations into more concrete, actionable security guidelines that adapts to heterogeneous IoT platforms, by applying natural language processing (NLP) techniques. Second, we will devise a compliance auditing approach that learns the clusters of similar devices using nonsensitive data (e.g., design specifications) and then locally utilizes the sensitive data (e.g., sensor data) to perform the actual auditing in a federated manner to preserve privacy. Third and orthogonally, we will develop an automated technique to generate concrete integration inputs, e.g., scripts, templates and policies, so that the developers/manufacturers can easily apply these actionable guidelines and proactively ensure compliance if they choose to. Both the second and third thrusts will try to make use of current hardware-based techniques (e.g., trusted computing). The outcome of the proposed research will help secure IoT environments and can be used to design a viable adoption plan (e.g., IoT security education, defining security policies) for the upcoming IoT era.

在过去的几年里，物联网（IoT）设备的部署有了显著的增长。然而，安全性已经落后，正如越来越多的针对物联网设备的攻击所证明的那样（例如，使用智能烤箱的纵火、通过智能锁的入室盗窃），这可能导致与针对传统设备的那些一样严重的后果，更不用说有时甚至更严重。如今，物联网设备往往被信任拥有更多的个人和安全关键数据，尽管计算能力相对较低。这些攻击的常见原因包括但不限于软件漏洞和错误配置。另一个重要贡献者是物联网设备生命周期的多方模型，例如，供应商/开发者留下的“默认值”可能不匹配不知道安全性的用户的情况。尽管已有努力，但减轻此类安全威胁仍然具有挑战性，主要原因如下：1）当前的物联网安全建议（例如，NIST，ENISA）的级别太高，无法产生用于执行/审计的可操作项目; 2）这些建议也没有使用系统级数据来表达，以便IoT设备的开发人员和制造商可以轻松地将它们集成到设备实现中; 3）大多数IoT设备缺乏足够的存储和计算能力来进行合规性审计（例如，使用正式方法）;以及4）从这些经常生成/收集敏感信息的设备收集数据，引入了新的隐私问题。该拟议计划旨在克服这些挑战，并为物联网设备开发一个AI增强的安全框架，以自动化的方式从安全建议/标准中受益。该计划的目标是：（i）通过弥合高级建议和低级系统技术性之间的差距，推导出可操作的安全指南;（ii）克服资源限制和数据共享的隐私问题;（iii）为用户选择在开发/制造阶段集成这些指南或对其进行合规性审计提供可信度保证。为了实现这些目标，拟议的研究将通过几个主要研究方向进行。首先，我们将构建一个自动化解决方案，通过应用自然语言处理（NLP）技术，将高级建议转化为更具体、可操作的安全指南，以适应异构物联网平台。其次，我们将设计一种合规性审计方法，该方法使用非敏感数据（例如，设计规范）并且然后本地地利用敏感数据（例如，传感器数据）来以联合方式执行实际审计以保护隐私。第三，也是正交的，我们将开发一种自动化技术来生成具体的集成输入，例如，脚本、模板和政策，以便开发人员/制造商可以轻松应用这些可操作的指导方针，并主动确保合规性（如果他们选择这样做）。第二次和第三次推进都将尝试利用当前基于硬件的技术（例如，可信计算）。拟议研究的结果将有助于保护物联网环境，并可用于设计可行的采用计划（例如，物联网安全教育，定义安全策略）为即将到来的物联网时代。