As we start to manage the IoT infrastructure with an eye on the device and software lifecycles and the health of the devices and gateways, the entire infrastructure needs to be monitored also for any kind of tampering or anomalies from their normal behavior. It is important to establish some baselines either in case of tampering or anomalies to compare entities against. In case of tampering, a golden copy is established and maintained while the anomaly detection is against a behavior learnt from the non-intrusive analysis of network traffic. These behavioral profiles help with anomaly detection and tying them to known attack vectors.

Detect Device Tampering

With Boot and Runtime Integrity attestations, EdgeLox, using core TPM technologies, helps detect any kind of tampering of gateway devices. As the TPM PCRs (Platform Configuration Registers) capture the state of the device including the boot sequence and measurements of boot modules, Boot integrity attestation involves validating periodically the values of PCRs on gateways against standard pre-set values from a golden copy of the gateway. The Runtime attestation on the other hand relies on a component called Integrity Measurement Architecture (IMA) that periodically measure the hash values of all active files on a filesystem. Again, using TPM, these measurements are validated against measurements from a golden copy of the gateway. With these 2 mechanisms, we can detect tampering in both the boot stack and on any file in the file system.

Profile Device Behavior & Detect Anomalies

Using language models, EdgeLox learns behavior of devices that comprise patterns across process flows, network traffic and workload execution. Each behavioral pattern is compared to one that is learnt for that device type in that environment so any deviations could be accurately discovered. While typical user devices have a lot of execution patterns that come together as one behavioral model, most IoT devices have limited functions that comprise a behavioral pattern. Anomalies are detected based on any kind of deviation from normal behavior.

Root Cause Analysis

For the time period of the anomaly, the system extracts the exact aspect of the behavior that is causing the anomaly and ties it the most probable known attack vectors. This analysis ties any abnormal behavior to one of the known behaviors that helps with a timely remediation.

Enforce Policies

As we detect security breaches in the form of device tampering or changes in device behavior, we will need to interface with systems on the network to drive remedial actions. While Alerts are a good start to notify admins of security breaches, security policies pushed to Network Management systems (NMS) or Intrusion Prevention Systems (IPS) would help automate the security procedures greatly. This involves policies for Network security, Device security, Internet access, VPN and Remote connectivity, Port communications and LAN access.