Combining Device Behavioral Models and Building Schema for Cybersecurity of Large-Scale IoT Infrastructure

Modern buildings are increasingly getting connected by adopting a range of IoT devices and applications from video surveillance and lighting to people counting and access control. It has been shown that rich connectivity can make building networks more exposed to cyberattacks and, hence, difficult to manage. Currently, there is no systematic approach for evaluating or enforcing cybersecurity of building systems with a large number of heterogeneous IoT devices. In this article, we aim to enhance cybersecurity of a large-scale IoT infrastructure by formally capturing the expected behavior of the system using the static profile of devices’ intended usage, buildings information, and network configurations (predeployment) along with dynamic diagnosis (post-deployment) of network activity using machine-learning models. Our contributions are threefold: 1) we develop a tool that automatically generates a formal ontology of network communications for a connected infrastructure by taking a description of buildings (in the form of Brick schema), device network behavior (in the form of manufacturer usage description (MUD) specifications, MUD profile), and network configurations (address, port, and VLAN) as inputs. We contribute our tool as opensource, and apply it to a subset of our university smart campus testbed, covering 20 IoT devices of three types deployed in seven different buildings. We translate the formal model into network flow rules and enforce them to the network at runtime using programmable networking techniques; 2) we, then, measure the network activity of device-specific flow rules and diagnose their health using a set of trained anomaly detection models (one-class classifiers) each corresponding to a particular type of device and specific building location, and demonstrate how our method detects attacks with reasonable accuracy of 92.5%; and (3) finally, we demonstrate three types of location-defined network policies (deployment, administrative, and organizational) that can be verified by this formal model.