TY - GEN
T1 - One MUD to Rule Them All
T2 - 2022 IEEE/IFIP Network Operations and Management Symposium, NOMS 2022
AU - Bremler-Barr, Anat
AU - Meyuhas, Bar
AU - Shister, Ran
N1 - Publisher Copyright: © 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Analyzing the network behavior of IoT devices, including which domains, protocols, and ports the device communicates with, is a fundamental challenge for IoT security and identification. Solutions that analyze and manage these areas must be able to learn what constitutes normal device behavior and then extract rules and features to permit only legitimate behavior or identify the device. The Manufacturer Usage Description (MUD) is an IETF white-list protection scheme that formalizes the authorized network behavior in a MUD file; this MUD file can then be used as a type of firewall mechanism.We demonstrate that learning what is normal behavior for an IoT device is more challenging than expected. In many cases, the same IoT device, with the same firmware, can exhibit different behavior or connect to different domains with different protocols, depending on the device's geographical location.We analyze and explain use-cases in which the location impacts device behavior. Then, we present a technique to generalize MUD files. By processing MUD files that originate in different locations, we can generalize and create a comprehensive MUD file that is applicable for all locations. To conduct the research, we created MUDIS, a MUD Inspection System tool, that compares and generalizes MUD files. Our open-source MUDIS tool and dataset are available online to researchers and IoT manufacturers, allowing anyone to visualize, compare, and generalize MUD files.
AB - Analyzing the network behavior of IoT devices, including which domains, protocols, and ports the device communicates with, is a fundamental challenge for IoT security and identification. Solutions that analyze and manage these areas must be able to learn what constitutes normal device behavior and then extract rules and features to permit only legitimate behavior or identify the device. The Manufacturer Usage Description (MUD) is an IETF white-list protection scheme that formalizes the authorized network behavior in a MUD file; this MUD file can then be used as a type of firewall mechanism.We demonstrate that learning what is normal behavior for an IoT device is more challenging than expected. In many cases, the same IoT device, with the same firmware, can exhibit different behavior or connect to different domains with different protocols, depending on the device's geographical location.We analyze and explain use-cases in which the location impacts device behavior. Then, we present a technique to generalize MUD files. By processing MUD files that originate in different locations, we can generalize and create a comprehensive MUD file that is applicable for all locations. To conduct the research, we created MUDIS, a MUD Inspection System tool, that compares and generalizes MUD files. Our open-source MUDIS tool and dataset are available online to researchers and IoT manufacturers, allowing anyone to visualize, compare, and generalize MUD files.
UR - http://www.scopus.com/inward/record.url?scp=85133167631&partnerID=8YFLogxK
U2 - https://doi.org/10.1109/NOMS54207.2022.9789828
DO - https://doi.org/10.1109/NOMS54207.2022.9789828
M3 - منشور من مؤتمر
T3 - Proceedings of the IEEE/IFIP Network Operations and Management Symposium 2022: Network and Service Management in the Era of Cloudification, Softwarization and Artificial Intelligence, NOMS 2022
BT - Proceedings of the IEEE/IFIP Network Operations and Management Symposium 2022
A2 - Varga, Pal
A2 - Granville, Lisandro Zambenedetti
A2 - Galis, Alex
A2 - Godor, Istvan
A2 - Limam, Noura
A2 - Chemouil, Prosper
A2 - Francois, Jerome
A2 - Pahl, Marc-Oliver
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 25 April 2022 through 29 April 2022
ER -